Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /home/vaclav/.m2/repository/com/sun/xml/fastinfoset/FastInfoset/1.2.15/FastInfoset-1.2.15.jar MD5: 57f3894ad7e069ae740b277d92d10fa0 SHA1: bb7b7ec0379982b97c62cd17465cb6d9155f68e8 SHA256:785861db11ca1bd0d1956682b974ad73eb19cd3e01a4b3fa82d62eca97210aec Referenced In Project/Scope: OpenKM Web Application:runtime FastInfoset-1.2.15.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/resources/extensions/expiration/InitialNotification.jar MD5: 6bf4a2d1540615a7d693b9a22b28e36a SHA1: 25ef3d085364657e9fefb4844866d9347d13dbd6 SHA256:77b4681d98f58ceea2f206221098048b43bf83a5d34a41dcc57a333217b8ca92 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
InitialNotification
High
Vendor
jar
package name
extension
Low
Vendor
jar
package name
nov
Low
Vendor
jar
package name
openkm
Low
Product
file
name
InitialNotification
High
Product
jar
package name
extension
Low
Product
jar
package name
initialnotification
Low
Product
jar
package name
nov
Low
Identifiers
None
activation-1.1.jar
Description:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/vaclav/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar MD5: 8ae38e87cd4f86059c0294a8fe3e0b18 SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50 SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3 Referenced In Project/Scope: OpenKM Web Application:compile activation-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.sun.mail/javax.mail@1.6.2
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/selection/active-line.js MD5: 9a393ed5437f0f43e129c675084c5309 SHA1: 323e8d3ca1625cf3c2a631f3d94a62f369ebc4ce SHA256:ede02e85aec5e32571e5714140cc0f54840833298a622af326d3d1f30ef164b1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ant-1.7.0.jar
Description:
Apache Ant
File Path: /home/vaclav/.m2/repository/org/apache/ant/ant/1.7.0/ant-1.7.0.jar MD5: 133e8979e9c11450f557ca890177fe0a SHA1: 9746af1a485e50cf18dcb232489032a847067066 SHA256:92f72307e7440f1e352c916f2438d2bbab3ffd2cf730c71316117ad04abadea8 Referenced In Project/Scope: OpenKM Web Application:compile ant-1.7.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKM
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CWE-130 Improper Handling of Length Parameter Inconsistency
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
File Path: /home/vaclav/.m2/repository/org/apache/ant/ant-launcher/1.7.0/ant-launcher-1.7.0.jar MD5: e0c8b3f9390a5d784bbdb6a21f2abd1d SHA1: e7e30789211e074aa70ef3eaea59bd5b22a7fa7a SHA256:72b3d03e0d7d86a56513ec38dd4cd6abe3da6620189be222ab255352cb6eba4a Referenced In Project/Scope: OpenKM Web Application:compile ant-launcher-1.7.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKM
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
File Path: /home/vaclav/.m2/repository/antlr/antlr/2.7.6/antlr-2.7.6.jar MD5: 97c6bb68108a3d68094eab0f67157962 SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e SHA256:df74f330d36526ff9e717731fd855152fcff51618f0b5785d0049022f89d568b Referenced In Project/Scope: OpenKM Web Application:compile antlr-2.7.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@3.6.10.Final
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: /home/vaclav/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7 SHA256:7ef52a4e25ea2472a0ae62ae1d5ccaa7ef23be188289ad225fcb8a452a1b738d Referenced In Project/Scope: OpenKM Web Application:compile antlr-runtime-3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/anyword-hint.js MD5: 26c98398f27a02685ce046fa1b990bca SHA1: 077a75e4f83aee91315b97a73b53b595f2dfde25 SHA256:22b92f64b78dc8993294f78dd4a322940479e2fe80dea5a3391bd9b00957fd6f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
aopalliance-1.0.jar
Description:
AOP Alliance
License:
Public Domain
File Path: /home/vaclav/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar MD5: 04177054e180d09e3998808efa0401c7 SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8 SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08 Referenced In Project/Scope: OpenKM Web Application:compile aopalliance-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASE
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/apl/apl.js MD5: 129d6e9dea877596d1dbb1c82b136427 SHA1: 51a70fa97bb80b466c1f96bb201d91902da79726 SHA256:f296e1571bbb63d5f9894f3ba571ac3f720a044548e71a9bdbad7b4d467b8f9c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ar.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ar.js MD5: 1b752db44cf0ed72b42bd7130b8ce3b6 SHA1: 048e62fb66cd6d670d2735efccc8249844ed2403 SHA256:871aae945431175867eb63a32d6216c7e2fe4c03c9ccf710e07be9633daa6a07 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ar_SA.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ar_SA.js MD5: f717cfffe583043173e901052cd69ee8 SHA1: 4671994f69f3211a4531c83b444e681168ca4e67 SHA256:055331f23a2f00e77298adf0661bb363273c77b2a364325e0f2d7f56777c1a36 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
asm-9.6.jar
Description:
ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/vaclav/.m2/repository/org/ow2/asm/asm/9.6/asm-9.6.jar MD5: 6f8bccf756f170d4185bb24c8c2d2020 SHA1: aa205cf0a06dbd8e04ece91c0b37c3f5d567546a SHA256:3c6fac2424db3d4a853b669f4e3d1d9c3c552235e19a319673f887083c2303a1 Referenced In Project/Scope: OpenKM Web Application:compile asm-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm
High
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
objectweb
Highest
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Vendor
pom
artifactid
asm
Highest
Vendor
pom
artifactid
asm
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm
High
Product
jar
package name
asm
Highest
Product
jar
package name
objectweb
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Product
Manifest
Implementation-Title
ASM, a very small and fast Java bytecode manipulation framework
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/asterisk/asterisk.js MD5: 1e14674107ecabbd26abd23942acfa90 SHA1: 940a9ccbc95b1bd330c9101740f9f87cad99e7aa SHA256:c682df8f95e0804d52ba1b336d90ac0734d03f4d1732b2877923765ac6f12ebd Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
audioformats-0.15.jar
File Path: /home/vaclav/.m2/repository/entagged/audioformats/audioformats/0.15/audioformats-0.15.jar MD5: 0420ac9357daa590e4aabc17502ef7df SHA1: fbfa768177ac683e71a229014989e0485abebb20 SHA256:0ca062ec1f089700735fa3a198858e700a604a6fd241f02ddb1223473cfb897b Referenced In Project/Scope: OpenKM Web Application:compile audioformats-0.15.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/apache/avalon/framework/avalon-framework-api/4.3.1/avalon-framework-api-4.3.1.jar MD5: 7c543869a7eb2bad323a54e873973acf SHA1: 2dacadeb49bc14420990b1f28897d46f96e2181d SHA256:bca4c94b5e53acee3c97fe11cce0749d682d5591bf4a217cd45273adeb08c60f Referenced In Project/Scope: OpenKM Web Application:compile avalon-framework-api-4.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
File Path: /home/vaclav/.m2/repository/org/apache/avalon/framework/avalon-framework-impl/4.3.1/avalon-framework-impl-4.3.1.jar MD5: 004ac42a2cda8c444451ef187b24284f SHA1: 2d5f5a07fd14513ce6d7a7bfaff69419c26dbd0b SHA256:1a429bd5ba87c55b9c84648d0404eb6499b7c05a2c9f21b1bb9621fbf117589f Referenced In Project/Scope: OpenKM Web Application:compile avalon-framework-impl-4.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
The Amazon Web Services SDK for Java provides Java APIs for building software on AWS’ cost-effective, scalable, and reliable infrastructure products. The AWS Java SDK allows developers to code against APIs for all of Amazon's infrastructure web services (Amazon S3, Amazon EC2, Amazon SQS, Amazon Relational Database Service, Amazon AutoScaling, etc).
License:
Apache License, Version 2.0: http://aws.amazon.com/apache2.0
File Path: /home/vaclav/.m2/repository/com/amazonaws/aws-java-sdk/1.3.0/aws-java-sdk-1.3.0.jar MD5: af8f4f9fd255977cbcf19eae3d7e54a0 SHA1: 6b95d606e88baeda06ce174d725537446dd471b1 SHA256:9f4fb973174d104488385fe7353664ba4bafc9a1b76e298e3f05671b741332a5 Referenced In Project/Scope: OpenKM Web Application:compile aws-java-sdk-1.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue���s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory`/tmp/foo`, the actor can cause a download to `/tmp/foo-bar`, but not `/tmp/bar`. If `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory` is used to download an untrusted buckets contents, the contents of that bucket can be written outside of the intended destination directory. Version 1.12.261 contains a patch for this issue. As a workaround, when calling `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory`, pass a `KeyFilter` that forbids `S3ObjectSummary` objects that `getKey` method return a string containing the substring `..` .
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/az.js MD5: 38ff4633713fa35312bc669ba56afd0f SHA1: 8175c1249938fa44650c954c38ce54bb758b2332 SHA256:e08fc67c84d3aaa2cb1910c8ebd2c9cac2db109ddd94bac15aaeb8ccc9a26281 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
batik-bridge-1.7.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/batik-bridge/1.7/batik-bridge-1.7.jar MD5: 9693f85b4f65f53190984eaae07c1d15 SHA1: 8e0cde3830e0f17704cd392b0a09b13944987a51 SHA256:e7c5a7d772c4f2eef5d34842019440a7ec3f4b00375a9a8350af4804823c832d Referenced In Project/Scope: OpenKM Web Application:compile batik-bridge-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
batik-bridge
High
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
batik
Highest
Vendor
jar
package name
bridge
Highest
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation (http://xmlgraphics.apache.org/batik/)
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
CWE-611 Improper Restriction of XML External Entity Reference
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
A malicious SVG can probe user profile / data and send it directly as parameter to a URL.
This is a patched version of Rhino 1.6R5 for use by Batik. See
http://svn.apache.org/repos/asf/xmlgraphics/batik/trunk/lib/README.js.txt
for details of the patch.
License:
Mozilla Public License version 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/batik-js/1.7/batik-js-1.7.jar MD5: 0eab2c31be0102c0828d0f60c4f14494 SHA1: 688eb1bf13b7a54491fcb3405068fc5092589884 SHA256:f7d917d038b136702461e3dbd5f83dd9946b664398d88f090284447b8e00fbba Referenced In Project/Scope: OpenKM Web Application:compile batik-js-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
CWE-611 Improper Restriction of XML External Entity Reference
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
A malicious SVG can probe user profile / data and send it directly as parameter to a URL.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
File Path: /home/vaclav/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar MD5: 873ac611cb0d7160c0a3d30eee964454 SHA1: 88a941faf9819d371e3174b5ed56a3f3f7d73269 SHA256:0dc4d181e4d347893c2ddbd2e6cd5d7287fc651c03648fa64b2341c7366b1773 Referenced In Project/Scope: OpenKM Web Application:compile bcprov-jdk15on-1.52.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
File Path: /home/vaclav/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.76/bcprov-jdk18on-1.76.jar MD5: 7020b9a9e1b951f5754a2168a26367f1 SHA1: 3a785d0b41806865ad7e311162bfa3fa60b3965b SHA256:fda85d777aaae168015860b23a77cad9b8d3a1d5c904fda875313427bd560179 Referenced In Project/Scope: OpenKM Web Application:compile bcprov-jdk18on-1.76.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/be.js MD5: 8f671c8af95f60e8e59b58d352cdf8bd SHA1: 5f8113d40fbe58ee0c90f49911b2aa3766979676 SHA256:bc225a2b0054fd43295abc8267f178db2f48c7f4c410b261f92a669431b91fa1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
beanshell2-2.1.8.jar
File Path: /home/vaclav/.m2/repository/com/google/code/beanshell2/2.1.8/beanshell2-2.1.8.jar MD5: 86da39aefd9ab3da7167f141083009ea SHA1: d1a739ea4ad2222a6b06193fb087855982694831 SHA256:ef196035f6252a0237438ee8039e26d88f616b6b9a5995b17767368484c87ef1 Referenced In Project/Scope: OpenKM Web Application:compile beanshell2-2.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/brace-fold.js MD5: 7fd555e31badb4918a7ec8b9080b600e SHA1: b2cd581c253922a62c9d1d9d869f9f264f6f6e87 SHA256:2adb5bfa473eabf9f9ccc256f997e0bbe35228092092a675b2129be2709e51c5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
bs.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/bs.js MD5: 8307dfcd2a83bbc9e2f06a6ab61ce3f5 SHA1: f132a4980513e0d4f66993f4e83a3712525ba1a0 SHA256:c9c7b398ebf9498225e3f71214681f429b2b85e8b63f11048f7dfd8608d95011 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ca.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ca.js MD5: 5e02f06a8257b22c1b271330d76d4deb SHA1: 870bb5c8fdc78327d3bd63112a5a59192dc58229 SHA256:8a4e405fcfa705a9cc91d9e0e7cae17c5dccffd5f368b1edabd96e67ca94bd5b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
cas-client-core-3.3.3.jar
File Path: /home/vaclav/.m2/repository/org/jasig/cas/client/cas-client-core/3.3.3/cas-client-core-3.3.3.jar MD5: c729171d461fa90455e5f94423fd55b8 SHA1: 4075c60835d9159ff6dee809037caa7d29019af1 SHA256:ed66678bcc81b5407e6379b5a01545991e85dd3950e361a9ed2163679f700c08 Referenced In Project/Scope: OpenKM Web Application:compile cas-client-core-3.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-cas@3.2.10.RELEASE
Core functionality - Required by all other modules
File Path: /home/vaclav/.m2/repository/org/codehaus/castor/castor-core/1.3.3/castor-core-1.3.3.jar MD5: 626dd793f4b5136e17fcb50eef053cb7 SHA1: 2fbb4a27b840e116526a1189dbe53307551ecfb4 SHA256:4b69771c9932f559a7e6f2b6218f442dd7ae086f68575b45f403c5e2c18ce8ce Referenced In Project/Scope: OpenKM Web Application:compile castor-core-1.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
File Path: /home/vaclav/.m2/repository/com/googlecode/catch-exception/catch-exception/1.2.0/catch-exception-1.2.0.jar MD5: f882618633b535145430dd81560c0087 SHA1: f2d1a395d91b4c024b9cc6a0946cfb10199df0a0 SHA256:083f55e5b92c72e779a33e0d9b830d5faddddf93f6a574cdec4229b92ea24915 Referenced In Project/Scope: OpenKM Web Application:compile catch-exception-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-commons-api/0.12.0/chemistry-opencmis-commons-api-0.12.0.jar MD5: 992b8d8b65a2e113f421e94e2fa2083d SHA1: 756dbfe5768240857751ce23407c77eb9b5be9d1 SHA256:81edd163aa33047c5a995daee98b1b5b06ece5bfea84500b30cb4ad01da9b945 Referenced In Project/Scope: OpenKM Web Application:compile chemistry-opencmis-commons-api-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0
File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-commons-impl/0.12.0/chemistry-opencmis-commons-impl-0.12.0.jar MD5: 68bd9d0d7ede130acd4c59e55bd34518 SHA1: 2834d4cbc9ccbae8dd88b5140d8ca13848599080 SHA256:7598a3aecd155c0325b63ab65778fff0c14ecf35e283d19ac132d972e963a1ca Referenced In Project/Scope: OpenKM Web Application:compile chemistry-opencmis-commons-impl-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0
File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-server-bindings/0.12.0/chemistry-opencmis-server-bindings-0.12.0.jar MD5: bad4ca93c00f7389f92be6f535638447 SHA1: 972dfba31dac9ed5fc0c9919daf93bbad4fa6c62 SHA256:82c7c9e7cb14f3953c1acead1d2b24ddadf3caaf15acb9abbf1da6a1e9ffa048 Referenced In Project/Scope: OpenKM Web Application:compile chemistry-opencmis-server-bindings-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-server-support/0.12.0/chemistry-opencmis-server-support-0.12.0.jar MD5: f3d6574fdefe86b544f7cb7b5b07f01f SHA1: 8effdbceb8d4e6bdad1e457c83fa0340022ce914 SHA256:4c5b75e5671fe7d25c1b93fef1368b17f4b3f91ad9d347347ca978fddda0cb3a Referenced In Project/Scope: OpenKM Web Application:compile chemistry-opencmis-server-support-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar MD5: b45be74134796c89db7126083129532f SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7 SHA256:e1407b81d8138fb9c1fc731b87b5e0068ddccabfbc65dee59cdb378a90c5e81a Referenced In Project/Scope: OpenKM Web Application:compile commons-beanutils-1.8.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
File Path: /home/vaclav/.m2/repository/commons-cli/commons-cli/1.2/commons-cli-1.2.jar MD5: bfdcae1ff93f0c07d733f03bdce28c9e SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9 Referenced In Project/Scope: OpenKM Web Application:compile commons-cli-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /home/vaclav/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar MD5: 4686be8303e04b41a0b5c37710b9a09d SHA1: cf993e250ff71804754ec2734a16f23c0be99f70 SHA256:c7956fe621708e45314ebdf6a35e35c57f2ff80ba9c85dfafb1e43620af6c797 Referenced In Project/Scope: OpenKM Web Application:compile commons-codec-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Types that extend and augment the Java Collections Framework.
File Path: /home/vaclav/.m2/repository/commons-collections/commons-collections/3.1/commons-collections-3.1.jar MD5: d1dcb0fbee884bb855bb327b8190af36 SHA1: 40fb048097caeacdb11dbb33b5755854d89efdeb SHA256:c1547d185ba6880bcc2da261c5f7533512b6ffdbbc1898db5b793c0cb830fcf0 Referenced In Project/Scope: OpenKM Web Application:compile commons-collections-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
File Path: /home/vaclav/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar MD5: fe897bced43468450b785b66c1cff455 SHA1: 7e65777fb451ddab6a9c054beb879e521b7eab78 SHA256:ff2d59fad74e867630fbc7daab14c432654712ac624dbee468d220677b124dd5 Referenced In Project/Scope: OpenKM Web Application:compile commons-compress-1.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-130 Improper Handling of Length Parameter Inconsistency, CWE-770 Allocation of Resources Without Limits or Throttling
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CWE-130 Improper Handling of Length Parameter Inconsistency, CWE-770 Allocation of Resources Without Limits or Throttling
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-Other
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
File Path: /home/vaclav/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar MD5: 528445033f22da28f5047b6abcd1c7c9 SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0 SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d Referenced In Project/Scope: OpenKM Web Application:compile commons-digester-2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
File Path: /home/vaclav/.m2/repository/commons-fileupload/commons-fileupload/1.5/commons-fileupload-1.5.jar MD5: e57ac8a1a6412886a133a2fa08b89735 SHA1: ad4ad2ab2961b4e1891472bd1a33fabefb0385f3 SHA256:51f7b3dcb4e50c7662994da2f47231519ff99707a5c7fb7b05f4c4d3a1728c14 Referenced In Project/Scope: OpenKM Web Application:compile commons-fileupload-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
File Path: /home/vaclav/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar MD5: 8ad8c9229ef2d59ab9f59f7050e846a5 SHA1: 964cd74171f427720480efdec40a7c7f6e58426a SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443 Referenced In Project/Scope: OpenKM Web Application:compile commons-httpclient-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
File Path: /home/vaclav/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar MD5: 7f97854dc04c119d461fed14f5d8bb96 SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581 Referenced In Project/Scope: OpenKM Web Application:compile commons-io-2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/vaclav/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar MD5: 4d5c1693079575b362edf41500630bbd SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2 SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c Referenced In Project/Scope: OpenKM Web Application:compile commons-lang-2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/vaclav/.m2/repository/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar MD5: 4e5c3f5e6b0b965ef241d7d72ac8971f SHA1: 1ed471194b02f2c6cb734a0cd6f6f107c673afae SHA256:7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c Referenced In Project/Scope: OpenKM Web Application:compile commons-lang3-3.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /home/vaclav/.m2/repository/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar MD5: 8a507817b28077e0478add944c64586a SHA1: f029a2aefe2b3e1517573c580f948caac31b1056 SHA256:e94af49749384c11f5aa50e8d0f5fe679be771295b52030338d32843c980351e Referenced In Project/Scope: OpenKM Web Application:compile commons-logging-1.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/commons-httpclient/commons-httpclient@3.1
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/comment/continuecomment.js MD5: f9b0e8a95c77dcb7766acef3710e42e9 SHA1: 20d9b842d252230eb3252eaba9de3a8672d3cfdd SHA256:099a1e4e7aba8b889243036660cacca72b89787edc8b456057edb6bc1bdb4eb2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
continuelist.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/continuelist.js MD5: 32a633aabf220ecbd585e517891b797d SHA1: 5899ba64c7ab89961d02040909c36da24100f2a2 SHA256:1df8ae4caa16f3c2b7907638bd7b259cc256a2dfda93269c731dafa66225f72e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
core-1.47.1.jar
Description:
The Google Data Java client library is written by Google.
It supports the latest major version of the following Google Data API's.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/gdata/core/1.47.1/core-1.47.1.jar MD5: 0ab87486663ef3adc0a195a1cff87d37 SHA1: 52ee0d917c1c3461f6e12079f73ed71bc75f12d4 SHA256:671fb963dd0bc767a69c7e4a74c07cf8dad3912bd40d37e600cc2b06d7a42dea Referenced In Project/Scope: OpenKM Web Application:compile core-1.47.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/zxing/core/2.2/core-2.2.jar MD5: 479d0651da7129b32f521d876f9ffe38 SHA1: cba0b93b0072105d808ef7a00a107a4eb97874e7 SHA256:c6963b3ddc11b8a1ff4ebf65e93314cc6af341685f70c98c752094fa59bef492 Referenced In Project/Scope: OpenKM Web Application:compile core-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A parser for reading CronTab strings, written in Java using JavaCC.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/kenai/crontab-parser/crontab-parser/1.0.1/crontab-parser-1.0.1.jar MD5: 7938fde3357cb513482c6e7168affa32 SHA1: 333e5fd1dde321901ccfc7f40f069f00adb898f9 SHA256:d7c37cd89957fd02a6eaf539595d7676e234d6ffebaf279000cd5c7588c74b2b Referenced In Project/Scope: OpenKM Web Application:compile crontab-parser-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The spectacular complement to the Bouncy Castle crypto API for Java.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-3.0.txt
File Path: /home/vaclav/.m2/repository/org/cryptacular/cryptacular/1.2.6/cryptacular-1.2.6.jar MD5: b4cf54fbc0b44a3233b0daa8b4c0cb83 SHA1: c97954b8bc9fbf63393d6a3b9113a6ce70772b45 SHA256:7a901585834f4533f127c643660435aec9a969af720613dc9126e555be7b1a01 Referenced In Project/Scope: OpenKM Web Application:compile cryptacular-1.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
File Path: /home/vaclav/.m2/repository/org/apache/cxf/cxf-core/3.6.3/cxf-core-3.6.3.jar MD5: 2de537636712b2cb4b50605c81bb8864 SHA1: a6adb9c4f0b62f6ff6bcb41fee8a77c9b5941604 SHA256:6380bef337eb56a50b4bf10b00246f6612789b61258a6e607c61a2a116da58d9 Referenced In Project/Scope: OpenKM Web Application:compile cxf-core-3.6.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
File Path: /home/vaclav/.m2/repository/org/apache/cxf/cxf-rt-rs-service-description-swagger/3.6.3/cxf-rt-rs-service-description-swagger-3.6.3.jar MD5: dd7a208a0623e222c1df949c04c9ab86 SHA1: 08fa674ff2b13a199b68a7c5d172cb6aec4de16e SHA256:3ec1c68407008258d599f85293179b158bd020c40eb6c99bdeb993ca2319b63e Referenced In Project/Scope: OpenKM Web Application:compile cxf-rt-rs-service-description-swagger-3.6.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/cy.js MD5: f855e4ea37e32171615ec432cbc6fa1a SHA1: 5dcd337546fcab0cc288594aa149a13a41b768fc SHA256:52531c00874f08ed705274fc5c6940c0d31ee2eb5306d8dee331ee93aaa02879 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
d.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/d/d.js MD5: e5ebcc495d888828f3ef061485e9c8b8 SHA1: b5b9a5606b00177ee789c1d4ab59f160969daae7 SHA256:e7a39d915b046ea60562d20598d8051aadd19139fadf0e9eb73fd29e05f26f98 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
da.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/da.js MD5: 1a2241ac826d943ad35d35ab96902e03 SHA1: 0083ac2bceae3a6d38c4af898ca89b84f18c827d SHA256:7f85a3e3356bc835e38222c055fd14f610c22d70cfb76806c329134a3c62a952 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
de.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/de.js MD5: 2e0e6dbf136e8dcdab903cb648e52630 SHA1: b0c920fad6c4a3f0ae31c89f1786b36744596c57 SHA256:182cdba9d5309bd459cb6c7802826333073647d10dd159cd8843ddf231c2c2d8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
de_AT.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/de_AT.js MD5: 3ab58270ed387f9a89f31a671ef7992b SHA1: 70c103af4f69a5cb8ff761d0d82d5d8df3d6dcbc SHA256:5aa9f098de09fa6884ea1d10fc1298a80016654b0e6a1b1142d29770c1934893 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
debugger.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/web/debugger.js MD5: cee256b3148b71c096a8284b6b3aaf41 SHA1: 4ab7d76ffdf3b79b54ca8f985ffc556852a9c4c7 SHA256:514e79e0fb34895ad93d3414901e0c27b65a3adce083a28dcacf5b57f3d80327 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
dialog.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/dialog/dialog.js MD5: 5313293614d5eb85dafa26df6b0dda0d SHA1: 4ddcd1189a1b05c8fde0fa73c3ca05fcafe979c4 SHA256:5271c108e723f89751c7053408d1f2f4278a125553b84ff707a31fb2f288229d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
diff.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/diff/diff.js MD5: 2cadbad679927b1d88a8f9da8bffde70 SHA1: a6fc86148afbc6bba13230275004e3d42cf9edb5 SHA256:35830d2dccb54039ee12d1fa5b417a3e47f0f085f892cef30edb336340f82b8a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
diff_match_patch.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/merge/dep/diff_match_patch.js MD5: ecbc571af41c4fbbaac460b86ac394ac SHA1: fe884e8da63959edadc8b9a579551d5eab3af34b SHA256:fbbb3d772be647b0a82fc1498986c0d1ec4b52bb520d8404a539796c73412fc6 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
django.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/django/django.js MD5: 29b09cd8891d814e5bdda7c7cc6e764d SHA1: 659f15c3390f3c068cc9d8e8565970527329ca21 SHA256:c205f101bb0ae173b1422b59fb7da941bb627a1feae8e753db49d589549cf58e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
dnsjava-2.0.8.jar
Description:
dnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.
License:
BSD license: http://www.dnsjava.org/README
File Path: /home/vaclav/.m2/repository/dnsjava/dnsjava/2.0.8/dnsjava-2.0.8.jar MD5: 9d1e41d2f4cfdb8728017b55de933753 SHA1: 0b84f81f7cec3116cc8094e9dd9825f21f9d368c SHA256:7648a88e6851de5e15dba580684ea632bf21dde69eb3b21ae40c17eb6145b3ec Referenced In Project/Scope: OpenKM Web Application:compile dnsjava-2.0.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/docx4j/docx4j/3.1.0/docx4j-3.1.0.jar MD5: 055f4ad7499d6813e1c48459f3362c28 SHA1: 9c94e45d4177b809f7b837c6ded98303e9e6fe81 SHA256:611b276186bb5c787e1363dd7edab3c1c060152a8e789c047d94bb0d90f9421c Referenced In Project/Scope: OpenKM Web Application:compile docx4j-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar MD5: 4d8f51d3fe3900efc6e395be48030d6d SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94 SHA256:593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73 Referenced In Project/Scope: OpenKM Web Application:compile dom4j-1.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKM
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
File Path: /home/vaclav/.m2/repository/net/sf/dozer/dozer/5.3.2/dozer-5.3.2.jar MD5: 948692ee1194594bfe014c5845b552dc SHA1: fb10fbcb72f936c1eecb195ba279df4e52bcabb0 SHA256:4886cf8482601343dfb535d603ea703deb561c770d28cd7a9d3733d115c5ea50 Referenced In Project/Scope: OpenKM Web Application:compile dozer-5.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/dtd/dtd.js MD5: 7e4079d3b588aec92c1de975b1bbde65 SHA1: 5c132d0a2334ca527cceb940b4aeeef7ade4d0d1 SHA256:1f094ddd7181013e161105c357ebe3a8e2cef82d2a9b894920fed98c70afac63 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
dv.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/dv.js MD5: e6c9be9c34e918f0a64d8ff0c990991a SHA1: 662428cc6b8fd9f1a5f632500a6bd6faa72f6932 SHA256:47ba853d0c11740e08e421b2140ded99d878bb47e7a9225eb263554c182a0bd5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
dylan.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/dylan/dylan.js MD5: 9f967dd308965055d8dc04355f6900ca SHA1: fe71a23af24474792ffbbc28cad03e81a4105a26 SHA256:f5f7c6fd6740fb1f52711c766920745e949e61f1a0b43972bac3fe20045cd742 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ecj-4.4.2.jar
Description:
Eclipse JDT Core Batch Compiler
License:
Eclipse Public License v1.0: http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/vaclav/.m2/repository/org/eclipse/jdt/core/compiler/ecj/4.4.2/ecj-4.4.2.jar MD5: ee97ab38f390547839b950bb51bf5cb5 SHA1: 71d67f5bab9465ec844596ef844f40902ae25392 SHA256:2d6ee21554bbba012b6b0383be6e6587fa35370104e41c10a3eb47039fa3e6d1 Referenced In Project/Scope: OpenKM Web Application:compile ecj-4.4.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/ecl/ecl.js MD5: c30a62c7260832fff7ed556feeed03b1 SHA1: e3c5971d2a79721dd3200a98989706ce6d2018b9 SHA256:7aebda9ba2b0eb3758ee169d711145dc8d1f9d330bf3e8be9ad02c6a2c18ea74 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ehcache-core-2.4.3.jar
Description:
This is the ehcache core module. Pair it with other modules for added
functionality.
License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /home/vaclav/.m2/repository/net/sf/ehcache/ehcache-core/2.4.3/ehcache-core-2.4.3.jar MD5: 9d4b1464a2fcbc16ae46740669a0dab8 SHA1: fd258ef6959f27fb678b04f90139ded4588e2d15 SHA256:9b93a12cda08e7ad4d567d2027d292e67ee726da0cbb330f5de0e90aeb1d3fd1 Referenced In Project/Scope: OpenKM Web Application:compile ehcache-core-2.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-ehcache@3.6.10.Final
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/eiffel/eiffel.js MD5: 7169891be948fdb38e8752e59d5a4dd4 SHA1: 1bbd08f7eebaab82b735255c0ee4b1bbe0d9ce63 SHA256:0666f48ac9d586ec78fa703b3a168a6d2dad3c2da1f99f85e6515ad294ffbc2d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
el.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/el.js MD5: 5915a6a9012ff19debc3d3f001db0172 SHA1: 9d98199df7aac3f0c011bf3eae3b147681b19e8b SHA256:75b81e8b4601b43285a0d074a917c6e9d18b636a4a58d3396321ff5b1b06d39b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
en_CA.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/en_CA.js MD5: b647ab56b6efc1a1676b7ee3fa874980 SHA1: f655da97c9350109f502bdbe80b3c15fbc1bc97c SHA256:5fee7e9ab31f421075fbec94f324aef62a8670623100b1ba7ec38fa5dccb8273 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
en_GB.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/en_GB.js MD5: 8724defc20694e4b8d921bdfcd735aba SHA1: 7d0d3f7b625d237c3751b312af46de931b2173bc SHA256:a8d682dedb2335d973dec930de208fd622b36a0a1c5f5bec2dd5b824c715380e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
encoder-1.1.jar
Description:
The OWASP Encoders package is a collection of high-performance low-overhead
contextual encoders, that when utilized correctly, is an effective tool in
preventing Web Application security vulnerabilities such as Cross-Site
Scripting.
File Path: /home/vaclav/.m2/repository/org/owasp/encoder/1.1/encoder-1.1.jar MD5: be2f4935acd2f38c4bf6d6785ffb3c4b SHA1: 4a30f7daebfaddd665a96e18fd371bfe8a7db1b8 SHA256:cdf109ec3dfdfea91dd6415246547202ab9f8e7341c4142bf53920e3e87a9c56 Referenced In Project/Scope: OpenKM Web Application:compile encoder-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/apache/pdfbox/fontbox/2.0.13/fontbox-2.0.13.jar MD5: f6dd2dbe55ea47062f7ac0543f7e29c6 SHA1: a1361adacfe9bebf262a5e05a97f1add9af1cc05 SHA256:e37f809231c8c71276a87bb08272d007a0b4bfe857add208906d51da731a0104 Referenced In Project/Scope: OpenKM Web Application:compile fontbox-2.0.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.pdfbox/pdfbox@2.0.13
Apache FOP (Formatting Objects Processor) is the world's first print formatter driven by XSL formatting objects (XSL-FO) and the world's first output independent formatter. It is a Java application that reads a formatting object (FO) tree and renders the resulting pages to a specified output. Output formats currently supported include PDF, PCL, PS, AFP, TIFF, PNG, SVG, XML (area tree representation), Print, AWT and TXT. The primary output target is PDF.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/fop/1.1/fop-1.1.jar MD5: 97f0cf9c6195d241515a44ead528c463 SHA1: 95978100a6cde324078947a2d476cf2f207a7e5a SHA256:5fc99990806b5553e134097cabb49ac1f519b0e3b56b821bd00f6a30c83bb3f3 Referenced In Project/Scope: OpenKM Web Application:compile fop-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
fop
High
Vendor
jar
package name
afp
Highest
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
area
Highest
Vendor
jar
package name
awt
Highest
Vendor
jar
package name
fop
Highest
Vendor
jar
package name
pcl
Highest
Vendor
jar
package name
pdf
Highest
Vendor
jar
package name
print
Highest
Vendor
jar
package name
ps
Highest
Vendor
jar
package name
svg
Highest
Vendor
jar
package name
txt
Highest
Vendor
jar
package name
xml
Highest
Vendor
manifest: org/apache/fop/
Implementation-Vendor
The Apache Software Foundation (http://xmlgraphics.apache.org/fop/)
File Path: /home/vaclav/.m2/repository/org/freemarker/freemarker/2.3.16/freemarker-2.3.16.jar MD5: d21d641eb5b49c8c737502fbbb8b0ff6 SHA1: 71743c024b499aa5dfa5d671b283991f330bade0 SHA256:746802f028eb68f483fdad5f3363f4e31260bcd47bfdffb6c15fd0a77bd95248 Referenced In Project/Scope: OpenKM Web Application:compile freemarker-2.3.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jodreports/jodreports@2.4.0
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/display/fullscreen.js MD5: 893000c6ef04cb127c23aae9933c9ec4 SHA1: eebadf4277b1243dd6033b7bcaac298abf2fb05d SHA256:a0723c2aa3ec597463956a2f2e5d1dfd49bd50e0d6f2fd5f2bc20032624be220 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gas.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gas/gas.js MD5: c20a0cf645ca377a41a7729e1e5f2591 SHA1: 994e03efcc65a739a614656f104d7c711666e40d SHA256:08f13be2cce6b62e6f5a9c1b6f6c0588d53b549d5ed8cbed82871c9ba74c7481 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gd.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/gd.js MD5: d724396bfb38c7387d8997f363429868 SHA1: 7bcc36f930b5c2ed0c364d277dff82fe3fadf38a SHA256:224cdc5b8496caabbdfc9cafeaa695105c3381c9c39e12a6b8e848bff5a25c6b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gfm.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gfm/gfm.js MD5: a42f61354da00547657ca8c0cd022a14 SHA1: eb3d3db2034323ebbcde4d3221a3c2cbe86e53fa SHA256:f0897c9c3669175aa2a30a89d6ce01b90b5269485fbb6e508818a7874680df99 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gherkin.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gherkin/gherkin.js MD5: 73be9ce1ab6b96349fc6c417e58051a0 SHA1: 18c66388a85055f84f2a18bf186f47271df06ff3 SHA256:b4e5ae4fbe25ead88e92b3a74d2ac8a28aabf97e5ea4f36d235a3aaa8e42e43c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/gl.js MD5: 7f759e1b80b4f2c9fa6781fdbdba4f7e SHA1: 947f855a69dc2b22c5c0077b40fc69b7c0f1d212 SHA256:0e6bd0707bc223a58cef848c24438b050b6b0ee059c71316b08625b247a65542 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
go.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/go/go.js MD5: dc8ffcc1f0271ce7ec0f251bdbaa8f4e SHA1: 6c83378dd0de15defa3bbf3e25e94a9ef30e3ce6 SHA256:b983337f07cb50e2196507e1b51a4102247ea5f9b1a134bb3250971e98fd9fef Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
google-api-client-1.20.0.jar
File Path: /home/vaclav/.m2/repository/com/google/api-client/google-api-client/1.20.0/google-api-client-1.20.0.jar MD5: d8b8b746adc5cfb2b23e5c9784165c5d SHA1: d3e66209ae9e749b2d6833761e7885f60f285564 SHA256:ec6cdbf7989709761d73156a1db6b9247d0b44043b0e486d275a4377a34b109e Referenced In Project/Scope: OpenKM Web Application:compile google-api-client-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/vaclav/.m2/repository/com/google/http-client/google-http-client/1.20.0/google-http-client-1.20.0.jar MD5: 70c5b241c361a8e630ddbea6e7c111ea SHA1: 93d82db2bca534960253f43424b2ba9d7638b4d2 SHA256:345958d00cbfa69c3e93b356872abdd3ad03e9e4204b7229ccef258dd3921d4a Referenced In Project/Scope: OpenKM Web Application:compile google-http-client-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0
File Path: /home/vaclav/.m2/repository/com/google/http-client/google-http-client-jackson2/1.20.0/google-http-client-jackson2-1.20.0.jar MD5: c3e65427c9569f4cde743d98ff89f6e6 SHA1: 2408070b2abec043624d35b35e30450f1b663858 SHA256:7a297bc26a572a79d52db1b7fe706b6dbdbb575dc502e04bd804c26bb31e2f31 Referenced In Project/Scope: OpenKM Web Application:compile google-http-client-jackson2-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
google-http-client-jackson2
High
Vendor
jar
package name
client
Highest
Vendor
jar
package name
google
Highest
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
Manifest
Implementation-Vendor-Id
com.google.http-client
Medium
Vendor
pom
artifactid
google-http-client-jackson2
Highest
Vendor
pom
artifactid
google-http-client-jackson2
Low
Vendor
pom
groupid
com.google.http-client
Highest
Vendor
pom
name
Jackson 2 extensions to the Google HTTP Client Library for Java.
High
Vendor
pom
parent-artifactid
google-http-client-parent
Low
Product
file
name
google-http-client-jackson2
High
Product
jar
package name
client
Highest
Product
jar
package name
google
Highest
Product
Manifest
Implementation-Title
Jackson 2 extensions to the Google HTTP Client Library for Java.
High
Product
pom
artifactid
google-http-client-jackson2
Highest
Product
pom
groupid
com.google.http-client
Highest
Product
pom
name
Jackson 2 extensions to the Google HTTP Client Library for Java.
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/vaclav/.m2/repository/com/google/oauth-client/google-oauth-client/1.20.0/google-oauth-client-1.20.0.jar MD5: 901097b9f7ccbe230e447db67711d80c SHA1: 1d086ac5756475ddf451af2e2df6e288d18608ca SHA256:8cda94ac3f3e3037a2cb1eace8d1c5436612c86844e8e45f1a451a45d99984ca Referenced In Project/Scope: OpenKM Web Application:compile google-oauth-client-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature
File Path: /home/vaclav/.m2/repository/com/google/oauth-client/google-oauth-client-java6/1.11.0-beta/google-oauth-client-java6-1.11.0-beta.jar MD5: 0995bd4952db6995139726ae21527cb3 SHA1: c07d4fd295d5ddf9e92c23c88f854fb733770d4a SHA256:a1d405cb3318bf844fd9cecd4a22b9bbcfc34a0a437a3eb3e141adac6796a0c5 Referenced In Project/Scope: OpenKM Web Application:compile google-oauth-client-java6-1.11.0-beta.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
google-oauth-client-java6
High
Vendor
jar
package name
client
Highest
Vendor
jar
package name
extensions
Highest
Vendor
jar
package name
google
Highest
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
Manifest
Implementation-Vendor-Id
com.google.oauth-client
Medium
Vendor
pom
artifactid
google-oauth-client-java6
Highest
Vendor
pom
artifactid
google-oauth-client-java6
Low
Vendor
pom
groupid
com.google.oauth-client
Highest
Vendor
pom
name
Java 6 (and higher) Extensions to the Google OAuth Client Library for Java.
High
Vendor
pom
parent-artifactid
google-oauth-client-parent
Low
Product
file
name
google-oauth-client-java6
High
Product
jar
package name
client
Highest
Product
jar
package name
extensions
Highest
Product
jar
package name
google
Highest
Product
Manifest
Implementation-Title
Java 6 (and higher) Extensions to the Google OAuth Client Library for Java.
High
Product
pom
artifactid
google-oauth-client-java6
Highest
Product
pom
groupid
com.google.oauth-client
Highest
Product
pom
name
Java 6 (and higher) Extensions to the Google OAuth Client Library for Java.
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature
File Path: /home/vaclav/.m2/repository/com/google/oauth-client/google-oauth-client-jetty/1.11.0-beta/google-oauth-client-jetty-1.11.0-beta.jar MD5: 1ee2e0209b163ebb53fa3ea1d43eb66a SHA1: 7264fbc551ad8219b014feb662b1f1d187c2e7b7 SHA256:b96bcb1924003370f5d59d799d70c62bf1bd7ca9dace09ec1e42457d7028ba29 Referenced In Project/Scope: OpenKM Web Application:compile google-oauth-client-jetty-1.11.0-beta.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
google-oauth-client-jetty
High
Vendor
jar
package name
client
Highest
Vendor
jar
package name
extensions
Highest
Vendor
jar
package name
google
Highest
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
Manifest
Implementation-Vendor-Id
com.google.oauth-client
Medium
Vendor
pom
artifactid
google-oauth-client-jetty
Highest
Vendor
pom
artifactid
google-oauth-client-jetty
Low
Vendor
pom
groupid
com.google.oauth-client
Highest
Vendor
pom
name
Jetty extensions to the Google OAuth Client Library for Java.
High
Vendor
pom
parent-artifactid
google-oauth-client-parent
Low
Product
file
name
google-oauth-client-jetty
High
Product
jar
package name
client
Highest
Product
jar
package name
extensions
Highest
Product
jar
package name
google
Highest
Product
Manifest
Implementation-Title
Jetty extensions to the Google OAuth Client Library for Java.
High
Product
pom
artifactid
google-oauth-client-jetty
Highest
Product
pom
groupid
com.google.oauth-client
Highest
Product
pom
name
Jetty extensions to the Google OAuth Client Library for Java.
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature
File Path: /home/vaclav/.m2/repository/org/codehaus/groovy/groovy-all-minimal/1.5.8/groovy-all-minimal-1.5.8.jar MD5: f9d1409298f02e76148acf2c2acf9b5d SHA1: cf8d95c0d9d4fd08b814c0eb5e32e0216cd07e0d SHA256:267171b95bc929b641c6a918e88d506c14d770d97b6ad743f7350aef777e263d Referenced In Project/Scope: OpenKM Web Application:compile groovy-all-minimal-1.5.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/groovy/groovy.js MD5: 923efb2d57dae27cf502a3a58a3531b7 SHA1: ae71ebe7254481e263c4559f91c0b3cddc34be89 SHA256:ab6d2a56b14c9d824762d5dc7393b0dde4416e25ae40bbe176805955db5f7cf9 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gson-2.2.4.jar
Description:
Google Gson library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/code/gson/gson/2.2.4/gson-2.2.4.jar MD5: 2f54fc24807a4cad7297012dd8cebf3d SHA1: a60a5e993c98c864010053cb901b7eab25306568 SHA256:c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb Referenced In Project/Scope: OpenKM Web Application:compile gson-2.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
File Path: /home/vaclav/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar MD5: f32a8a2524620dbecc9f6bf6a20c293f SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef SHA256:36a666e3b71ae7f0f0dca23654b67e086e6c93d192f60ba5dfd5519db6c288c8 Referenced In Project/Scope: OpenKM Web Application:compile guava-20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
CWE-552 Files or Directories Accessible to External Parties
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-732 Incorrect Permission Assignment for Critical Resource
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-incubator/2.1.0/gwt-incubator-2.1.0.jar MD5: ffb9efd602f4c142257225d768a12dd8 SHA1: 3aa16d4c7c00edad4719092669d820a34e10ef0a SHA256:07d4dc0da9c80d780b9ff048d38f3dccb30dcb874f9dea25e11cf84eaf02d1b3 Referenced In Project/Scope: OpenKM Web Application:compile gwt-incubator-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Library providing easy to use logging capabilities to Google Web Toolkit (GWT) projects.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/vaclav/.m2/repository/com/allen-sauer/gwt/log/gwt-log/3.3.1/gwt-log-3.3.1.jar MD5: 6a5badb59045e2261114758124e5a626 SHA1: 4bab403e1b9b44d6d64d232942c1690f269fa68a SHA256:fce757493036f17ee571690c8f771ab0899f350a25e48d033e0313a524b774ee Referenced In Project/Scope: OpenKM Web Application:compile gwt-log-3.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-servlet/2.8.2/gwt-servlet-2.8.2.jar MD5: 482772fc8f2b97068c8ddacc8c120780 SHA1: a538bc7b20dece1ca9c517d8ec5f6819ba2fdec9 SHA256:1d971e8efd3f57227a9204d058c1e5f64f1d79e4030a34c884d3bdf982dd263d Referenced In Project/Scope: OpenKM Web Application:runtime gwt-servlet-2.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar MD5: 4344edd17705723debc1e1820943ad73 SHA1: a2b9be2c996a658c4e009ba652a9c6a81c88a797 SHA256:9f420f0d0c2f177d71cb1794b3be1418f9755f6e4181101af3951b8302b9556d Referenced In Project/Scope: OpenKM Web Application:provided gwt-user-2.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/junit/linker/closurehelpers.js MD5: 2df11a5f3690aa991f5b327958fa51d6 SHA1: 1ca87610a75d819b7681291efda14e29623f219b SHA256:ca2a16c92adae2bb7d2f32e948cf0f74892a68477722c0e72ef62a4cfde0ea07 Referenced In Project/Scope: OpenKM Web Application:provided
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gwt-user-2.8.2.jar: initWindowCloseHandler.js
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/user/client/impl/initWindowCloseHandler.js MD5: e7b8f571ae0a24e5f850ebd88acc0ff4 SHA1: e5a2ed16ed5a2736476ca011dfef836d049c0d62 SHA256:4f2530b7c813de59ec9654f840b5e280b6bbf89c8bfcf423359926854de48983 Referenced In Project/Scope: OpenKM Web Application:provided
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gwt-user-2.8.2.jar: initWindowResizeHandler.js
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/user/client/impl/initWindowResizeHandler.js MD5: 94b2e7183f363ee72758b981ea642bcd SHA1: ea090795ccc0039cfed648dcef722dc15d22cb0f SHA256:413b8d90bfd5dd3cd1925e74d0ea8dc97ba2efbeecaf8a11e3b661781d529174 Referenced In Project/Scope: OpenKM Web Application:provided
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gwt-user-2.8.2.jar: initWindowScrollHandler.js
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/user/client/impl/initWindowScrollHandler.js MD5: 61a257f10f806b6d71d7bcfa541f132b SHA1: 7543afe38b20b1e70a100eb58374cd2e97f88f6a SHA256:f412b5fd48176742090c4cb6dea7477c5a6b2720bd488225fcfd147ebc163715 Referenced In Project/Scope: OpenKM Web Application:provided
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
gwt-vl-2.0b-without-hibernate.jar
File Path: /home/vaclav/.m2/repository/gwt-vl/sourceforge/net/gwt-vl/2.0b-without-hibernate/gwt-vl-2.0b-without-hibernate.jar MD5: 2b7e52489be1b90f4995ebbd4cfa309f SHA1: b4d6273f190fc3cec55ca3e8f4c75cdb43fae370 SHA256:a5b10bdc38d354ff1dee304d14ac6a214ca66dc27b06e379c614d6e8d4a50237 Referenced In Project/Scope: OpenKM Web Application:compile gwt-vl-2.0b-without-hibernate.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: /home/vaclav/.m2/repository/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar MD5: 6393363b47ddcbba82321110c3e07519 SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0 SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9 Referenced In Project/Scope: OpenKM Web Application:compile hamcrest-core-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/junit/junit@4.11
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haml/haml.js MD5: 34e32d03c8b03cfc4c3d0a35956ffe73 SHA1: a6491f4006aa0bf1df56ec4af3fdf3d0404784c9 SHA256:c20b08cd9d3da1a3ac6f926884c36f3d6faf8aabc6a3cf59bc8a301e4517ed6d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
hardwrap.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/wrap/hardwrap.js MD5: ef9a6f7c7640e3af40060a9066d19acd SHA1: 02a8b85561b9d4c44bc08e73d28c5ebaa9a31f71 SHA256:04ba700213ce2182ea75b321847055d16da770b0178f1c989e72b5541fe10ff8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
haskell.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haskell/haskell.js MD5: 17fe6c2bad0e7410f3315e38434dbb8f SHA1: 2defad5d931c7ed1558100c8a46d233ee33e0029 SHA256:ba3024aaf10ee6651e65faa9b581ff452cdc3b3a4b09db7d05ed516b888479c2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
haxe.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haxe/haxe.js MD5: 471f1fcc5b4278ce48cfd3b437927255 SHA1: 693b68c8c400e55be95fcf85bc5c6c19ec552bce SHA256:6654c345e99d5c6001d4a7955c0b887f12e6109f6692681df50cf7f715ee8ffc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
he_IL.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/he_IL.js MD5: 3d46a747d7adb8ec7f8c866eb7a903d2 SHA1: f60895ffad2f499c0dc3f4d6888fc18b0cee31c2 SHA256:dc0f4dc328df2787e8dc765c014358d1fa5a29e23a2d2d49026d01202a1c4732 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
hibernate-commons-annotations-3.2.0.Final.jar
Description:
Common reflection code used in support of annotation processing
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-commons-annotations/3.2.0.Final/hibernate-commons-annotations-3.2.0.Final.jar MD5: 8ae1ea6c2a3d854c6436f6f70e04f699 SHA1: ce990611448fc2865469e3b68d2fe76b050e3c4f SHA256:b9abf4d76da72dc06a24399ebd9e55a7ab2e58d53ca766e7fd562c32fde45464 Referenced In Project/Scope: OpenKM Web Application:compile hibernate-commons-annotations-3.2.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@3.6.10.Final
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-core/3.6.10.Final/hibernate-core-3.6.10.Final.jar MD5: cdc5eb67414eb75f69382bbe637151c0 SHA1: 6b36a1eef76cbccc2757f22a795b5e12ab56b3d5 SHA256:99abcfa253d24c2c3ee3c146927dc72afdc21e84b658b2632dc685ed1ff3094f Referenced In Project/Scope: OpenKM Web Application:compile hibernate-core-3.6.10.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Hibernate definition of the Java Persistence 2.0 (JSR 317) API.
License:
license.txt
File Path: /home/vaclav/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.0-api/1.0.1.Final/hibernate-jpa-2.0-api-1.0.1.Final.jar MD5: d7e7d8f60fc44a127ba702d43e71abec SHA1: 3306a165afa81938fc3d8a0948e891de9f6b192b SHA256:bacfb6460317d421aa2906d9e63c293b69dc1a5dac480d0f6416df50796a4bb3 Referenced In Project/Scope: OpenKM Web Application:compile hibernate-jpa-2.0-api-1.0.1.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@3.6.10.Final
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-search/3.4.2.Final/hibernate-search-3.4.2.Final.jar MD5: c985a7d20374163655a2e86c75ea9826 SHA1: d700f79603ac3f681531486924c4c5a2ba48fca1 SHA256:3ea5d58fc7c6a16d58fd0e81ea7da1e6ae53e6122f56d4eab5f30ff38c0d3e1c Referenced In Project/Scope: OpenKM Web Application:compile hibernate-search-3.4.2.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-validator/4.2.0.Final/hibernate-validator-4.2.0.Final.jar MD5: 2b6b64bce7156ca6e9b7f5e6a0a6de7c SHA1: eac2db0a9d86a9749724fe93d43afffa8106f25e SHA256:38dd0af5fdad46bb30270f2d987136ad5ea9bc16927182af7d639e78828133a5 Referenced In Project/Scope: OpenKM Web Application:compile hibernate-validator-4.2.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2017-7536 for details
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
CWE-264 Permissions, Privileges, and Access Controls
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/hr.js MD5: 743705fb6eabf3ee7d6e1ea1ea5b21da SHA1: 91a2a7b273fda83fc5d6d601882b19ecca6c430f SHA256:0949ba160d7e01133eb9345305906f6baca0ba9b994616251440b2f6be5e9d98 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
html-hint.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/html-hint.js MD5: 8e8160c22d56fd2ab5e6076c7d111567 SHA1: 1895814e41ac7b226d9cf041dab3111fe1b06fae SHA256:995d59fdd28796f4b274da8b520f0507d8584b8d052c67b9e5bc0164b43fd467 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
html5gwt-140127.jar
File Path: /home/vaclav/.m2/repository/com/github/akjava/html5gwt/140127/html5gwt-140127.jar MD5: 48c496452b25020dab79fb0c20839582 SHA1: 8da52c46192c0af53e8d2c41e880ac73b80796ef SHA256:bcb204099e8061c8213802056c02b3446b9b6b256fe0584cf8bb93378d28cd66 Referenced In Project/Scope: OpenKM Web Application:compile html5gwt-140127.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/htmlembedded/htmlembedded.js MD5: e83607e4ae9916fa58c5165639b5f672 SHA1: fdebe690b6aa5e4de41bef4ec066b54d428fb428 SHA256:a2a62384bf7c202405eec1d68195f59843e46f3e47ecd95cfb91b3bea6e012fe Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
htmlmixed.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/htmlmixed/htmlmixed.js MD5: 641430c683c7ddc1a15a225276ad12eb SHA1: 6120f6c93c083704db192f1bb25f6d46f3ce5877 SHA256:0cadecaf3cbf504e3795fd00264e9c4b4c1382ac024bbefb611b03bc4e05f080 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
http.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/http/http.js MD5: 1fca566b1daf47b8e1bb59056311c27f SHA1: 5bcc8b00286662007936b03e9008ecb6bde3bdbe SHA256:6f82145df096decfcfac5e19b0474e20e7f88db4bda5b218cb8b99afa840d17e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
httpclient-4.0.1.jar
Description:
HttpComponents Client (base module)
License:
Apache License: ../LICENSE.txt
File Path: /home/vaclav/.m2/repository/org/apache/httpcomponents/httpclient/4.0.1/httpclient-4.0.1.jar MD5: 9ca98774860101c06ca9010efd6224a1 SHA1: 1d7d28fa738bdbfe4fbd895d9486308999bdf440 SHA256:752596ebdc7c9ae5d9a655de3bb06d078734679a9de23321dbf284ee44563c03 Referenced In Project/Scope: OpenKM Web Application:compile httpclient-4.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
File Path: /home/vaclav/.m2/repository/org/apache/httpcomponents/httpcore/4.0.1/httpcore-4.0.1.jar MD5: 6c1963fd8ac0c40c004c9e892e0d7703 SHA1: e813b8722c387b22e1adccf7914729db09bcb4a9 SHA256:3b6bf92affa85d4169a91547ce3c7093ed993b41ad2df80469fc768ad01e6b6b Referenced In Project/Scope: OpenKM Web Application:compile httpcore-4.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0
File Path: /home/vaclav/.m2/repository/com/ibm/icu/icu4j/50.1.1/icu4j-50.1.1.jar MD5: 8960c153e865c776d6d49491c1f27753 SHA1: c1267563fd08f2885bc1f934ddaca15d19c3d888 SHA256:e579e154f63ca51c8108f88c3a109d5ebc4d84f165d12335fb1ae2734a8aa5f0 Referenced In Project/Scope: OpenKM Web Application:compile icu4j-50.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
icu4j
High
Vendor
file (hint)
name
icu-project
High
Vendor
file (hint)
name
unicode
High
Vendor
jar
package name
ibm
Highest
Vendor
jar
package name
icu
Highest
Vendor
Manifest
bundle-copyright
Copyright 2000-2012, International Business Machines Corporation and others. All Rights Reserved.
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
com.ibm.icu
Medium
Vendor
Manifest
Implementation-Vendor
IBM Corporation
High
Vendor
Manifest
Implementation-Vendor-Id
com.ibm
Medium
Vendor
Manifest
specification-vendor
icu-project.org
Low
Vendor
pom
artifactid
icu4j
Highest
Vendor
pom
artifactid
icu4j
Low
Vendor
pom
developer id
deborah
Medium
Vendor
pom
developer id
doug
Medium
Vendor
pom
developer id
emmons
Medium
Vendor
pom
developer id
mark
Medium
Vendor
pom
developer id
markus
Medium
Vendor
pom
developer id
pedberg
Medium
Vendor
pom
developer id
srl
Medium
Vendor
pom
developer id
yoshito
Medium
Vendor
pom
developer name
Deborah Goldsmith
Medium
Vendor
pom
developer name
Doug Felt
Medium
Vendor
pom
developer name
John Emmons
Medium
Vendor
pom
developer name
Mark Davis
Medium
Vendor
pom
developer name
Markus Scherer
Medium
Vendor
pom
developer name
Peter Edberg
Medium
Vendor
pom
developer name
Steven Loomis
Medium
Vendor
pom
developer name
Yoshito Umaoka
Medium
Vendor
pom
developer org
Apple
Medium
Vendor
pom
developer org
Google
Medium
Vendor
pom
developer org
IBM Corporation
Medium
Vendor
pom
groupid
com.ibm.icu
Highest
Vendor
pom
name
ICU4J
High
Vendor
pom
url
http://icu-project.org/
Highest
Vendor
pom (hint)
artifactid
icu-project
Highest
Vendor
pom (hint)
artifactid
icu-project
Low
Vendor
pom (hint)
artifactid
unicode
Highest
Vendor
pom (hint)
artifactid
unicode
Low
Vendor
pom (hint)
name
icu-project
High
Vendor
pom (hint)
name
unicode
High
Product
file
name
icu4j
High
Product
hint analyzer
product
international_components_for_unicode
Highest
Product
jar
package name
ibm
Highest
Product
jar
package name
icu
Highest
Product
Manifest
bundle-copyright
Copyright 2000-2012, International Business Machines Corporation and others. All Rights Reserved.
File Path: /home/vaclav/.m2/repository/com/sun/istack/istack-commons-runtime/3.0.7/istack-commons-runtime-3.0.7.jar MD5: 83e9617b86023b91bd54f65c09838f4b SHA1: c197c86ceec7318b1284bffb49b54226ca774003 SHA256:6443e10ba2e259fb821d9b6becf10db5316285fc30c53cec9d7b19a3877e7fdf Referenced In Project/Scope: OpenKM Web Application:runtime istack-commons-runtime-3.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/it.js MD5: 934e305d21c179aa25f35472e301a525 SHA1: 647e0105d1f7b743315d4a0c95457cf039c89263 SHA256:b0803ea14507b77edc9863d7e633d7cfdfff8ca80f470f5cbb11c0f6f39ffba7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
itext-2.1.7.js6.jar
Description:
iText, a free Java-PDF library
License:
Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /home/vaclav/.m2/repository/com/lowagie/itext/2.1.7.js6/itext-2.1.7.js6.jar MD5: 988f560be1dc15fd4bcdbfd1d7a33270 SHA1: 06d16b69482c32d7ecf6fd513749db6f04c97ec8 SHA256:188fa94aa84e5ba4ef6f03109fcc38b127de4c05057631648e9d237372fe6de2 Referenced In Project/Scope: OpenKM Web Application:compile itext-2.1.7.js6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
CWE-611 Improper Restriction of XML External Entity Reference
iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CWE-770 Allocation of Resources Without Limits or Throttling
iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.0/jackson-annotations-2.9.0.jar MD5: c09faa1b063681cf45706c6df50685b6 SHA1: 07c10d545325e3a6e72e06381afe469fd40eb701 SHA256:45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a Referenced In Project/Scope: OpenKM Web Application:compile jackson-annotations-2.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.7/jackson-core-2.9.7.jar MD5: ae90e61fef491afefbc9c225b6497753 SHA1: 4b7f0e0dc527fab032e9800ed231080fdc3ac015 SHA256:9e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84 Referenced In Project/Scope: OpenKM Web Application:compile jackson-core-2.9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Jackson is a high-performance JSON processor (parser, generator)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.11/jackson-core-asl-1.9.11.jar MD5: 49801a6d43725d5c3a1a52ca021d7dc5 SHA1: e32303ef8bd18a5c9272780d49b81c95e05ddf43 SHA256:5fb6924b888550a9b0e8420747a93cc4ad24e03e724dcf4934c30cc0c4882ffc Referenced In Project/Scope: OpenKM Web Application:compile jackson-core-asl-1.9.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.amazonaws/aws-java-sdk@1.3.0
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.7/jackson-databind-2.9.7.jar MD5: 2916db8b36f4078f07dd9580bccec6c2 SHA1: e6faad47abd3179666e89068485a1b88a195ceb7 SHA256:675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bf Referenced In Project/Scope: OpenKM Web Application:compile jackson-databind-2.9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CWE-611 Improper Restriction of XML External Entity Reference
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CWE-770 Allocation of Resources Without Limits or Throttling
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.16.1/jackson-dataformat-yaml-2.16.1.jar MD5: f08a64b0e8a224690e774ea3d5dcd00f SHA1: 8e4f1923d73cd55f2b4c0d56ee4ed80419297354 SHA256:fd67e0fafe368ad3dfc1b545eb8fe084a5c64628fb71ef70bd94a4dab27aefff Referenced In Project/Scope: OpenKM Web Application:compile jackson-dataformat-yaml-2.16.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/jade/jade.js MD5: b9fefc2fb908a70e5006f3f76824973c SHA1: 3ddf874dcdfb20287e331acd21b4a0b20d7b6875 SHA256:d49261b1276a7017902bb1f9c485560c01e9c4e039ede8bfe7eb93581fff9aee Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jakarta-regexp-1.4.jar
File Path: /home/vaclav/.m2/repository/jakarta-regexp/jakarta-regexp/1.4/jakarta-regexp-1.4.jar MD5: 5d8b8c601c21b37aa6142d38f45c0297 SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298 SHA256:85ea3985d7fec552d6de6f02d8e18789c3fcd539081eb8c7c444eabf6cb3f7bc Referenced In Project/Scope: OpenKM Web Application:compile jakarta-regexp-1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.lucene/lucene-queries@3.1.0
File Path: /home/vaclav/.m2/repository/com/sun/activation/jakarta.activation/1.2.2/jakarta.activation-1.2.2.jar MD5: 0b8bee3bf29b9a015f8b992035581a7c SHA1: 74548703f9851017ce2f556066659438019e7eb5 SHA256:02156773e4ae9d048d14a56ad35d644bee9f1052a791d072df3ded3c656e6e1a Referenced In Project/Scope: OpenKM Web Application:runtime jakarta.activation-1.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
File Path: /home/vaclav/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.2/jakarta.activation-api-1.2.2.jar MD5: 1cbb480310fa1987f9db7a3ed7118af7 SHA1: 99f53adba383cb1bf7c3862844488574b559621f SHA256:a187a939103aef5849a7af84bd7e27be2d120c410af291437375ffe061f4f09d Referenced In Project/Scope: OpenKM Web Application:compile jakarta.activation-api-1.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
File Path: /home/vaclav/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar MD5: 8b165cf58df5f8c2a222f637c0a07c97 SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a Referenced In Project/Scope: OpenKM Web Application:compile jakarta.annotation-api-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs@3.6.3
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/vaclav/.m2/repository/jakarta/jws/jakarta.jws-api/2.1.0/jakarta.jws-api-2.1.0.jar MD5: 9e3bc505722b1e84535d7edb3d582ca1 SHA1: 7d283ef13e49c1422701e30639371edca788c609 SHA256:d4c321f47a72001977fa11d2df408db23bf5f46e954aeb2c6f1ecda4dfef8fd8 Referenced In Project/Scope: OpenKM Web Application:compile jakarta.jws-api-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
File Path: /home/vaclav/.m2/repository/jakarta/ws/rs/jakarta.ws.rs-api/2.1.6/jakarta.ws.rs-api-2.1.6.jar MD5: c3892382aeb5c54085b22b1890511d29 SHA1: 1dcb770bce80a490dff49729b99c7a60e9ecb122 SHA256:4cea299c846c8a6e6470cbfc2f7c391bc29b9caa2f9264ac1064ba91691f4adf Referenced In Project/Scope: OpenKM Web Application:compile jakarta.ws.rs-api-2.1.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs@3.6.3
File Path: /home/vaclav/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/2.3.3/jakarta.xml.bind-api-2.3.3.jar MD5: 61286918ca0192e9f87d1358aef718dd SHA1: 48e3b9cfc10752fba3521d6511f4165bea951801 SHA256:c04539f472e9a6dd0c7685ea82d677282269ab8e7baca2e14500e381e0c6cec5 Referenced In Project/Scope: OpenKM Web Application:compile jakarta.xml.bind-api-2.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
Provides the API for creating and building SOAP messages.
License:
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/vaclav/.m2/repository/jakarta/xml/soap/jakarta.xml.soap-api/1.4.2/jakarta.xml.soap-api-1.4.2.jar MD5: d19eb8a4a5401296985db733868425e0 SHA1: 4f71fa8ca30be4d04ba658339df3c927fa21209a SHA256:0b2e9db574869c09b18e7fe87482be2e4e14b3f3cc8207646595806eede77706 Referenced In Project/Scope: OpenKM Web Application:compile jakarta.xml.soap-api-1.4.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/vaclav/.m2/repository/jakarta/xml/ws/jakarta.xml.ws-api/2.3.3/jakarta.xml.ws-api-2.3.3.jar MD5: ce470c38b9dbdcb8e505d41d767be748 SHA1: 529fe0136be92861e5a255fbc99146f1943c4332 SHA256:c8e0ba03c47cd5e996fd5d83540caaeab69cd8d531f128318d88e15467d112c1 Referenced In Project/Scope: OpenKM Web Application:compile jakarta.xml.ws-api-2.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
File Path: /home/vaclav/.m2/repository/net/sourceforge/jashi/2008.07.31/jashi-2008.07.31.jar MD5: bd06c15a6ba863265c490c44aea973f0 SHA1: 20c70fda2e40003d977b3135882f2192b57bff69 SHA256:31e8a8c19196739b158cec3ecf8684588d99d8fd4b0b9020924107d182395d49 Referenced In Project/Scope: OpenKM Web Application:compile jashi-2008.07.31.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
GNU Lesser General Public License: http://jasperreports.sourceforge.net/license.html
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar MD5: a628a2e6a1b6052660592d9e286e2d1d SHA1: ba87d1b3e5de5b6822ebb7c207896056039cde03 SHA256:b39ea10447ed43dddc4aeee097069466d684d4a4934158ec2c5889abe95f7eed Referenced In Project/Scope: OpenKM Web Application:compile jasperreports-6.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.
The domain management component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a race-condition vulnerability that may allow any users with domain save privileges to gain superuser privileges. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Description: TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system.
Required Action: Apply updates per vendor instructions.
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.interactive.column.js MD5: e77f16b48d85465e64118e5fd9ab5b48 SHA1: 0eb051fd2338d72562e81923bd86676e8613f78d SHA256:78ae764d6e953d0841ece6944052391916358b93bd632815a2aa3251807302ea Referenced In Project/Scope: OpenKM Web Application:compile
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jasperreports-6.4.3.jar: jive.interactive.sort.js
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/sort/resources/jive.interactive.sort.js MD5: 0375b5c3fcf2a782fb835f3abe797d35 SHA1: f5c6a0c4155b17aa56c4c76b363ed543a6a2e801 SHA256:d2b9f32db7668e4fe125957e7b14724a65ad21f2fad60a78d56ab299c537c108 Referenced In Project/Scope: OpenKM Web Application:compile
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jasperreports-6.4.3.jar: jive.js
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.js MD5: 77b2f726de0bdf4663ccdfc38330a4d1 SHA1: 37a2280503f329be6ec83789ef83179309c64842 SHA256:f265de0b377a0badd18e6c5feb141a2a85fda91f701b0bf0e0f8acaf508716ec Referenced In Project/Scope: OpenKM Web Application:compile
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jasperreports-6.4.3.jar: jive.sort.js
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/sort/resources/jive.sort.js MD5: a59ceb3e639af3cdd6ca6209bad0db11 SHA1: fe80e9f3b9e4dac807950762e9255deb3e86d026 SHA256:9e0f0b7bb09de0eb4d9694e5d1d92aa051f13330e656c50ba62368137fccb0b1 Referenced In Project/Scope: OpenKM Web Application:compile
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jasperreports-6.4.3.jar: jive.table.js
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.table.js MD5: 2d5c7e5595b25502a7d3d3018df1344b SHA1: 1cc7622c13bda8f8bcc645c7a68fdc48c77a1d61 SHA256:30d4017a0644307ccfa42b76d0008a3fc3738427c015a7932dbecf0dc85b6bd6 Referenced In Project/Scope: OpenKM Web Application:compile
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jasperreports-6.4.3.jar: process.js
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/phantomjs/process.js MD5: 5ad4b092e87c3e95e19637025fa2032a SHA1: 8650b2bba0f77b6df8c29d91b88a4670fd7a9fdd SHA256:13ebea4bfe1517fb49c0816211deab79c3fa9949f182869340e435564207585b Referenced In Project/Scope: OpenKM Web Application:compile
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jasypt-1.9.3.jar
Description:
Java library which enables encryption in java apps with minimum effort.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/jasypt/jasypt/1.9.3/jasypt-1.9.3.jar MD5: 39327c7e38782102ecdb3c9dc4e8dcd3 SHA1: 0d99ef9540f51c617f2a293b460f025d2ee563dd SHA256:f481fbb8dd8ce754bfde7552af4fcbe8c5e303d53663bb3d8ce9d4338e0e55aa Referenced In Project/Scope: OpenKM Web Application:compile jasypt-1.9.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
File Path: /home/vaclav/.m2/repository/net/shibboleth/utilities/java-support/7.5.2/java-support-7.5.2.jar MD5: 8841e4abf4e88a32737d0f2870f2f4af SHA1: 1b0a80b8c0713e3d6233c643c7421ece305b544f SHA256:bc6a861d2447d3a67c81fdf61f0595d38c94ebbe4364bec6d59cb1b87cb2e8b2 Referenced In Project/Scope: OpenKM Web Application:compile java-support-7.5.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/javascript-hint.js MD5: d79ae58e0f25aabc775c71bb0af99357 SHA1: 395a4a5048d017ee3081af8d202e4bf96e43805c SHA256:805c97fdeb10a3ebab5f474966b726cf15a4e55eceb6f7886677370dd6c4dfa4 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
javascript-lint.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/javascript-lint.js MD5: 618bf1f00fc8161c71613f443a34d13f SHA1: 760e7bba7b35052e72209611478a8233f7474258 SHA256:2c58d119ec57e849a147e916e719056e9b4e78474943ebe126e10c57ae5838c5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
javascript.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/javascript/javascript.js MD5: 7e66472c040cbb89589b5adf9c2e7f2f SHA1: 8ee97b348b9bb0f100de9993e8f62e662758613c SHA256:2a33e964f53df578ab2e20ec0da48f7d0a942f578167178c9d1ebcd3c71dc008 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
javase-2.2.jar
Description:
Java SE-specific extensions to core ZXing library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/zxing/javase/2.2/javase-2.2.jar MD5: 207b44a0524ce5a3901629ec8ef27246 SHA1: 049c7efbaa67727bef5f2dd79efba1ca35f3e7f0 SHA256:cc32f41b3fcff840bcdd08f14d24e7c170e382bd5c5a81a072ac075e66cc8426 Referenced In Project/Scope: OpenKM Web Application:compile javase-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/javassist/javassist/3.12.1.GA/javassist-3.12.1.GA.jar MD5: 30d9d95456d43005da78d7281accccd1 SHA1: 526633327faa61aee448a519e8a4d53ec3057885 SHA256:3f5780dacb4b28ad147100f74361bb338a45069d8034b24735bb8292d2856614 Referenced In Project/Scope: OpenKM Web Application:compile javassist-3.12.1.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/javassist/javassist/3.21.0-GA/javassist-3.21.0-GA.jar MD5: 3dba2305f842c2891df0a0926e18bcfa SHA1: 598244f595db5c5fb713731eddbb1c91a58d959b SHA256:7aa59e031f941984af07dacc6ca85e6dc9bd3a485e9aa2494cbc034efa1225d0 Referenced In Project/Scope: OpenKM Web Application:compile javassist-3.21.0-GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.reflections/reflections@0.9.11
File Path: /home/vaclav/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16 SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393 Referenced In Project/Scope: OpenKM Web Application:compile javax.activation-api-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar MD5: 289075e48b909e9e74e6c915b3631d2e SHA1: 6975da39a7040257bd51d21a231b76c915872d38 SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff Referenced In Project/Scope: OpenKM Web Application:compile javax.inject-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
File Path: /home/vaclav/.m2/repository/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2.jar MD5: 0b81d022797740d72d21620781841374 SHA1: 935151eb71beff17a2ffac15dd80184a99a0514f SHA256:45b515e7104944c09e45b9c7bb1ce5dff640486374852dd2b2e80cc3752dfa11 Referenced In Project/Scope: OpenKM Web Application:provided javax.mail-1.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Java.net - The Source for Java Technology Collaboration
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/vaclav/.m2/repository/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar MD5: 3ef236ac4c24850cd54abff60be25f35 SHA1: 6bf0ebb7efd993e222fc1112377b5e92a13b38dd SHA256:377d8bde87ac6bc7f83f27df8e02456d5870bb78c832dac656ceacc28b016e56 Referenced In Project/Scope: OpenKM Web Application:provided javax.servlet-api-3.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/javax/websocket/javax.websocket-api/1.0/javax.websocket-api-1.0.jar MD5: 510563ac69503be2d6cbb6d492a8027b SHA1: fc843b649d4a1dcb0497669d262befa3918c7ba8 SHA256:dd93009fb5aa3798bcd9ab0492a292ddae0f0b1ed2e45a75867a9925c90e747a Referenced In Project/Scope: OpenKM Web Application:provided javax.websocket-api-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar MD5: bcf270d320f645ad19f5edb60091e87f SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06 Referenced In Project/Scope: OpenKM Web Application:compile jaxb-api-2.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1
File Path: /home/vaclav/.m2/repository/com/sun/xml/bind/jaxb-impl/2.1.11/jaxb-impl-2.1.11.jar MD5: 89da999f2402d204a96a92ba988e7be8 SHA1: 69e2546dae3895d25aeb5e70225e492d1b9bd696 SHA256:258edbd409dd52238d550a1f8640597b3b6853b8649b42b4dd55ec4d283e217d Referenced In Project/Scope: OpenKM Web Application:compile jaxb-impl-2.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
File Path: /home/vaclav/.m2/repository/org/glassfish/jaxb/jaxb-runtime/2.3.1/jaxb-runtime-2.3.1.jar MD5: 848098e3eda0d37738d51a7acacd8e95 SHA1: dd6dda9da676a54c5b36ca2806ff95ee017d8738 SHA256:45fecfa5c8217ce1f3652ab95179790ec8cc0dec0384bca51cbeb94a293d9f2f Referenced In Project/Scope: OpenKM Web Application:runtime jaxb-runtime-2.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/plutext/jaxb-svg11/1.0.2/jaxb-svg11-1.0.2.jar MD5: 91f22bed36295692c384e846dfc460b0 SHA1: 3c0cd54d5691f5b5f8c60ed0c06353ff1db424e1 SHA256:6799f39d49d9dbfef140e76b33d0884d55372935768a3955900eb022576a760d Referenced In Project/Scope: OpenKM Web Application:compile jaxb-svg11-1.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
File Path: /home/vaclav/.m2/repository/org/plutext/jaxb-xmldsig-core/1.0.0/jaxb-xmldsig-core-1.0.0.jar MD5: 53ac0ceaf724c8fecfd15f6a845cb521 SHA1: 57514aa2f72111cfbc0a532ce88782735370e1e5 SHA256:f5c7ce3549cde8e26a2696aa5291a14a4c6168633a1b46b3483e01ab9681feb0 Referenced In Project/Scope: OpenKM Web Application:compile jaxb-xmldsig-core-1.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
File Path: /home/vaclav/.m2/repository/org/plutext/jaxb-xslfo/1.0.1/jaxb-xslfo-1.0.1.jar MD5: 234da3ab3340e000c10cd0dc917b7e15 SHA1: 85441209652b216f61160445b399f5bc97e370c6 SHA256:0162ddef898af716a2c95e17de0c2b3aa5ce5b6483da688c75479023b7186d56 Referenced In Project/Scope: OpenKM Web Application:compile jaxb-xslfo-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
File Path: /home/vaclav/.m2/repository/javax/xml/ws/jaxws-api/2.1/jaxws-api-2.1.jar MD5: f3a03da3f160081c75caac82a3515f91 SHA1: 204ea80c6a85f009c90bddda8c93c17644702022 SHA256:99e674edd93e447b2d13a7ce12b4c5e56ed3637921f77f7b561991deea53eed3 Referenced In Project/Scope: OpenKM Web Application:compile jaxws-api-2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jaxws-api
High
Vendor
hint analyzer
vendor
web services
Medium
Vendor
jar
package name
javax
Highest
Vendor
jar
package name
ws
Highest
Vendor
jar
package name
xml
Highest
Vendor
Manifest
extension-name
javax.xml.ws
Medium
Vendor
Manifest
Implementation-Vendor
Sun Microsystems, Inc.
High
Vendor
Manifest
Implementation-Vendor-Id
com.sun
Medium
Vendor
pom
artifactid
jaxws-api
Highest
Vendor
pom
artifactid
jaxws-api
Low
Vendor
pom
groupid
javax.xml.ws
Highest
Product
file
name
jaxws-api
High
Product
hint analyzer
product
web services
Medium
Product
jar
package name
javax
Highest
Product
jar
package name
ws
Highest
Product
jar
package name
xml
Highest
Product
Manifest
extension-name
javax.xml.ws
Medium
Product
Manifest
Implementation-Title
Java API for XML Web Services Standard Implementation
Open source Reference Implementation of JSR-224: Java API for XML Web Services
License:
Dual license consisting of the CDDL v1.0 and GPL v2
: https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /home/vaclav/.m2/repository/com/sun/xml/ws/jaxws-rt/2.1.7/jaxws-rt-2.1.7.jar MD5: 9e88ea3a7fd6dee8d532342d5f585adf SHA1: e4da64bb02bef8ebb174ca17747e6a6bf4a01eeb SHA256:bad6e1e2da7cd3f0a8c5030b130ae2573b33460461744a8c80ce3e910d55aacd Referenced In Project/Scope: OpenKM Web Application:compile jaxws-rt-2.1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2 allows remote attackers to affect availability via unknown vectors related to Metro.
File Path: /home/vaclav/.m2/repository/org/jbpm/jbpm3/jbpm-jpdl/3.3.1.OKM/jbpm-jpdl-3.3.1.OKM.jar MD5: 3ae64ee76f4e952d3f3ef99dc5a316ca SHA1: 08a0fe7368d0b43128b04772456b5065413db4e7 SHA256:b64576e0904c7333eead64b1db1b79b02879701efce787b513dbe8555c2e202d Referenced In Project/Scope: OpenKM Web Application:compile jbpm-jpdl-3.3.1.OKM.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.
JCommon is a free general purpose Java class library that is used in
several projects at www.jfree.org, including JFreeChart and
JFreeReport.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/vaclav/.m2/repository/org/jfree/jcommon/1.0.23/jcommon-1.0.23.jar MD5: 1b059adc60fef2da40b7130f9a67f977 SHA1: a316f336ca996e0c6bec4e4fbd49be8f5e1c3968 SHA256:1e670402809484c71ec74d55b40022a4c4939c7911bd39ee5a0cfb3aaf56397c Referenced In Project/Scope: OpenKM Web Application:compile jcommon-1.0.23.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/googlecode/jcsv/jcsv/1.4.0/jcsv-1.4.0.jar MD5: da45c324b09095a1e82b890a3324a571 SHA1: 3b2dfd1ff251cdcf4745a7643a966f14d10e2532 SHA256:73ca7d715e90c8d2c2635cc284543b038245a34f70790660ed590e157b8714a2 Referenced In Project/Scope: OpenKM Web Application:compile jcsv-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/jdom/jdom/1.0/jdom-1.0.jar MD5: 0b8f97de82fc9529b1028a77125ce4f8 SHA1: a2ac1cd690ab4c80defe7f9bce14d35934c35cec SHA256:3b23bc3979aec14a952a12aafc483010dc57579775f2ffcacef5256a90eeda02 Referenced In Project/Scope: OpenKM Web Application:compile jdom-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/rome/rome@1.0
A complete, Java-based solution for accessing, manipulating,
and outputting XML data
License:
Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/vaclav/.m2/repository/org/jdom/jdom/2.0.2/jdom-2.0.2.jar MD5: f2ce377fffc36a069117c578c14139ba SHA1: d06c71e0df0ac4b94deb737718580ccce22d92e8 SHA256:2bdf7a48fddc9259f5aa420eee328e939d71302a6a1b79a176e4fd47ee988b97 Referenced In Project/Scope: OpenKM Web Application:compile jdom-2.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.ettrema/milton-api@1.8.1.4
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/vaclav/.m2/repository/org/codehaus/jettison/jettison/1.3.5/jettison-1.3.5.jar MD5: f89c69522ab58a11b8a6251d5035d289 SHA1: cdd210ae7fe10fd6bc3d9159142cb2a4da417020 SHA256:fc1acf29f13717c71bbe49dae931b0fc160f68e3aa2ae792a8fe2bd9f2d1966c Referenced In Project/Scope: OpenKM Web Application:compile jettison-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
File Path: /home/vaclav/.m2/repository/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar MD5: 12b65438bbaf225102d0396c21236052 SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0 SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5 Referenced In Project/Scope: OpenKM Web Application:compile jetty-6.1.26.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
JFreeChart is a class library, written in Java, for generating charts.
Utilising the Java2D APIs, it currently supports bar charts, pie charts,
line charts, XY-plots and time series plots.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/vaclav/.m2/repository/org/jfree/jfreechart/1.0.19/jfreechart-1.0.19.jar MD5: 4ff3762bd04a7239cfb98de542134bec SHA1: ba9ee7dbb2e4c57a6901c79f614ed2dea9cc0e20 SHA256:153d077d6399776a45de97c555ad026eb6201d4bd8af86cfce7b8b4ccfa66263 Referenced In Project/Scope: OpenKM Web Application:compile jfreechart-1.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/jinja2/jinja2.js MD5: 5ffd7a5537a77b189e94aa6a213a9999 SHA1: cd5b5b67d6d1af6b261fe49b199d4194042d969d SHA256:0dbb880857eb723321c95fbcae54c3db8b41b966258ef90a2ce65a5f29f4ab0d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jiu-2007.07.01.jar
File Path: /home/vaclav/.m2/repository/net/sourceforge/jiu/2007.07.01/jiu-2007.07.01.jar MD5: 775714a91e0d17113e70f37a1a1e830b SHA1: 990b51efb10d463e3ec2e8630ae21f6ec5ee3342 SHA256:6a4bb44b7e921fd5764d1b46abdef9756fcd162c98632ebe2674aa3c5d3793ea Referenced In Project/Scope: OpenKM Web Application:compile jiu-2007.07.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/alfresco/jlan/5.0.0/jlan-5.0.0.jar MD5: 878a3a416bf3d596a6341ba95b575443 SHA1: d84274eb67f61c79efc5ac0405d28dddf5d31660 SHA256:266688a94ced7c24f0851425c87aa18c69521d772f6a7e3018cb669e3f54ed17 Referenced In Project/Scope: OpenKM Web Application:compile jlan-5.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default installations. An attacker could exploit this vulnerability by using the extracted private key and bundling it into a PKCS12. A successful exploit could allow the attacker to gain information about the target system (e.g., OS type, system file locations, Java version, Solr version, etc.) as well as the ability to launch further attacks by leveraging the access to Alfresco's Solr Web Admin Interface.
CWE-1188 Insecure Default Initialization of Resource
An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors.
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
JMySpell is a spell-checker for Java applications, capable
of seamlessly incorporating the existing OpenOffice.org
dictionaries. Based on MySpell (but written in 100% Java.)
File Path: /home/vaclav/.m2/repository/org/dts/jmyspell-core/1.0.0-beta-2/jmyspell-core-1.0.0-beta-2.jar MD5: ff2496320fea8ac5c2083bfe08ca7f23 SHA1: 47a3f90f405377fc9239867e0ee91b48e1936ef2 SHA256:3b89ab0d04db1e7957731df37573de79b8038496572afcf8c7dfb1074da5f34f Referenced In Project/Scope: OpenKM Web Application:compile jmyspell-core-1.0.0-beta-2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jmyspell-core
High
Vendor
jar
package name
dts
Highest
Vendor
jar
package name
spell
Highest
Vendor
Manifest
extension-name
jmyspell-core
Medium
Vendor
pom
artifactid
jmyspell-core
Highest
Vendor
pom
artifactid
jmyspell-core
Low
Vendor
pom
groupid
org.dts
Highest
Vendor
pom
groupid
org.dts.spell
Highest
Vendor
pom
name
JMySpell Core Library
High
Vendor
pom
parent-artifactid
JMySpell
Low
Vendor
pom
url
http://jmyspell.javahispano.net
Highest
Product
file
name
jmyspell-core
High
Product
jar
package name
dts
Highest
Product
jar
package name
spell
Highest
Product
Manifest
extension-name
jmyspell-core
Medium
Product
Manifest
Implementation-Title
jmyspell-core
High
Product
Manifest
specification-title
JMySpell is a spell-checker for Java applications, capable of seamlessly incorporating the existing OpenOffice.org dictionaries. Based on MySpell (but written in 100% Java.)
Date and time library to replace JDK date handling
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/joda-time/joda-time/2.10.10/joda-time-2.10.10.jar MD5: c2a46de8a73ec7b60011429561ae72e3 SHA1: 29e8126e31f41e5c12b9fe3a7eb02e704c47d70b SHA256:dd8e7c92185a678d1b7b933f31209b6203c8ffa91e9880475a1be0346b9617e3 Referenced In Project/Scope: OpenKM Web Application:compile joda-time-2.10.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
JODReports generates dynamic documents and reports based on the
OpenDocument Format and FreeMarker.
License:
GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: /home/vaclav/.m2/repository/net/sf/jodreports/jodreports/2.4.0/jodreports-2.4.0.jar MD5: 5c68dcd6d97331688503ac51e6b3b226 SHA1: 81397f93e3aa00f5c432677d592e988d7ffcc9cb SHA256:b823e7a7e654e31db02301cd28c09631c9598158f128e919b4fc564f1b57ce1e Referenced In Project/Scope: OpenKM Web Application:compile jodreports-2.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.tablescroll.js MD5: d88e1b01bcb21f98cf1d0ccbc3abdc26 SHA1: feabb79558104ff1fa5d21fc2303368ecf5d62e0 SHA256:1ac1eac58e911ecb0f302d87ac840f21a38960dde84552e036f937adf0e74823 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.tinymce.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/jquery.tinymce.min.js MD5: 58f056fe5cf8f5818ea18982b004f8a7 SHA1: a6316b8942c11a86df5062e7520ec9ea17e35b52 SHA256:83405de858139df240861e5b894b4f212f49bb2493231ac4b4994a56dd46bde4 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-af.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-af.js MD5: 3f6dc7167ebfdab2e4c06ca1f7ecbf55 SHA1: bed08a6fd05ad28385eba4ed30f9f4f3cf0989df SHA256:13b3c1956d1bc149f33324757cfefa91754176956bcd9983cf318603659d650f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ar-DZ.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ar-DZ.js MD5: f9c86467366d98200c97ac9c8b843fbb SHA1: ffa0c7c892badba21647d60bc72e9e2e72f10a2a SHA256:6a9710a4f0624fd5b67e0bd5311e75e4ac211890c9e1ed03431248d686ad9a03 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ar.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ar.js MD5: 9924612cef93d8722863287157768180 SHA1: 7c7a19ed519eebbd56d52d9a19ebdd8e26dee3aa SHA256:bcf9c699e1ff78eb2ff4fce020d33b29c42ece158e339cd0e917e8c16a6865c2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-az.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-az.js MD5: f9f7fb74b273da0307a8bd4ec7acb6b5 SHA1: 0b8467ea6271bd6bbf31748ec5f34d49b8671c8b SHA256:9b947cfd64b7ba7cdec93042eac8267e45cd2ae54e32ba362b09d5a8da1a8e7c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-be.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-be.js MD5: 7b1c87006e19cac0f3590845efd008fb SHA1: 1d2278f0e74d9bbcf997faa39a0c7e60e3752381 SHA256:218798309f1b8ad3402996c2f9a821b8b0c13e929996ccc376590b508dd408e3 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-bg.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-bg.js MD5: d965b3639b678aaf5819db10189d3472 SHA1: 1fd69b71f06808121f617cbbf92a90e07ae7db6c SHA256:479166222f060a557252a6389c617ff9e1be7c780f0d6fd998510578f6eb9a95 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-bs.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-bs.js MD5: eeccd3d7df38ab2c37ae290e46b3cd93 SHA1: 390947bfb69a03a70caea25650e61f69740bd1e1 SHA256:ec0b5e7357984df430262e248b1633a16b51196c9538109d18218cfa5486f996 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ca.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ca.js MD5: a857021fa5601842d94a41f20a5cab9d SHA1: d585621fcc39be2e34092d14efd04eccea938ec7 SHA256:d8c958bff79c04c38b1a9661867c6e9aa4d441280656765bdd77d0526651dcb0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-cs.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-cs.js MD5: 54791b35c9819515ce0cad20b7537277 SHA1: c4f665c0056249a2897453a9eda0b5aa07bed10b SHA256:77775c1def8799f75956a30c425b074b7148346b115e17e70642a9e970135f54 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-cy-GB.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-cy-GB.js MD5: fb40b70ba78ef9f4251a86355c5f65f7 SHA1: bcc1447626324e44340f4275783e361ec9b85b64 SHA256:94723f001defcb68cd44f964d9f14bd380d60812072f394fa616e9eeb2e7f203 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-da.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-da.js MD5: 656d173c027d5a08186e39c156ba5597 SHA1: 440d0d100f9a72b3f5249c96a76268a142f59c16 SHA256:99a51207c0ebd4eb35d791e0519f68292ec7af75d60525e547d69ba667763096 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-de.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-de.js MD5: bf12bcbfcb995b003e6cb3c257904be6 SHA1: 5db60160f2b78fc0adccbf721db244e42d0eca17 SHA256:9ce890fdcd947065a60eee0cceb232b25fb250ec39ca39250beb99ea1fb28982 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-el.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-el.js MD5: c3150764daf20b6fa2142581180be1ad SHA1: 432be4c0563ab757b69bbbf8d9a82f5515259ffe SHA256:cc5dc0411fbb1f8b1ffaecf8fe7000f875a5599f0f06eefa2361271b02f58397 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-en-AU.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-AU.js MD5: 4a38655904f6c55da227cea464b55a2b SHA1: b69c650bad329c3b36c255a5f61a0674726caa31 SHA256:39fd50b8e82d9c4e07949d85f901a44b0ce559acf2e48214fa16efb970ce434a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-en-GB.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-GB.js MD5: 24a226a281a11799c495abc21f696c23 SHA1: b56c752cc763f92dc3d4dfc7ce0b9df55a884899 SHA256:dc8de8a8e14ecce8bc75f3460763b8a1e7bcde04e860e176273318620d5c2163 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-en-NZ.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-NZ.js MD5: af985e8d034123f14696aa116027760d SHA1: 7eddb4245d43d61404a10ff380538f3fc16e5ace SHA256:8cd7fceb1d041507bcd5775aeeaac2b767d87af63be1ff5831c44e6e0194b3d1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-en-US.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-US.js MD5: 266da8839e5b2dfae70046649239cec3 SHA1: 9bbd510e41ee35f753654244a2f826c7fd3a5837 SHA256:8093cacbe4f899c6e7cc02ce6511a8a756d2127aea8c25658f0b44211083702a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-eo.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-eo.js MD5: e1f5d8ed4599ca392aeb284fe637df33 SHA1: 9ea43425f002fdf6725267e0d6cc29cf98c28b90 SHA256:1d54189ab7d969441b9ceea23a1666fa25eda877a7df31a797476c14210f1e8f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-es-ES.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-es-ES.js MD5: 77606d5c3648f0188f3d6f05f07c2067 SHA1: 03a1a83e7d0bbd2f6ec7394dbc3148ad3e1dcc6d SHA256:00067531dff9d8c79a80f82e719ae83e1cb4e313376d0d3232a681981fc57a0f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-et.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-et.js MD5: 1a7c15ddc89179a0e309d9e7d2b97ad4 SHA1: 239dd175dd10324ee8b6c9b5b1173f3ebfcc8648 SHA256:733e3f181e8a5324c199797511ba060fb2b5fdf5c54d782aefd573ae2f149dc8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-eu.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-eu.js MD5: 24751dd4dcabb58b82ee0817fea84fd3 SHA1: 15abd806624a1caa7c5b252922129b4ee39500c1 SHA256:68dd427277bb609956d40fe822e798fc1546034bdf05ebb12dd08f89474dd7c5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-fa.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fa.js MD5: 9687cad817acecd88a808d7ef8c58fcf SHA1: 9e8767f975b4d97757794ed649d27fba11a263e2 SHA256:f7845b50abb0e91075630251c26faa8b6980819a594f9a2a589bc00defc585b8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-fi.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fi.js MD5: f435818611baafdd00cac4f264e29eae SHA1: d1dfc3711f0228e84532658b2ea1b6caecb6024b SHA256:aee8abba7739f6e64baa4d96082feb8c37c18a8d9ff72cbf1b17d6dd0c534028 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-fo.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fo.js MD5: 85444da9fc4c900eba95f8ff4704688f SHA1: b68215d21446773c42c919002d087aa4bb8ee003 SHA256:12f827158b071908a77905cae65d11935099d91315a25d5c215d5071fd1167a7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-fr-CA.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fr-CA.js MD5: da166bae7a0b6dfd7d9e2f6bab4576dc SHA1: ee9f5d5e9361fa14ff222c3a7333fbd1c99f6996 SHA256:3dd635f09573d6c5dfe6c786148183ec249b8734eac4dbb80d700d8d9670d506 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-fr-CH.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fr-CH.js MD5: 8b170b46edcc43d05082cc464244020f SHA1: ad0f6a728afb0975347bf428faa119eb44baaef3 SHA256:92a0494b9601c5bcd7db81fcd8c5e100341d7227ead0c01baa33c172a7275386 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-fr.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fr.js MD5: 792d81b0e28e033f86f11a5602a450cc SHA1: 4c7ec2bafd9cdb8d91f9cfc4b79df0a122908ccf SHA256:bf326c3d6b49045372fc3b7c25045620473315cf5d061d53f2bb3862c0728992 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-gl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-gl.js MD5: 0f4dee4528f5f8fb8eb20a14496b7e37 SHA1: 1cb4058a7d50c0d2eb49b7e2b5163c4a5e762e00 SHA256:92948fb2f83cfe000d45dcae288157542307a75a305177a025cade62bfddeaf0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-he.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-he.js MD5: b2ad344bf1df226aa1a760f1d3653da7 SHA1: c3f6c4358e461eeee215717d53d67fec2d8fe261 SHA256:bac9f114d740aa38a779bc80100c97286164ad41480b31da4bccbc95b7935eb0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-hi.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hi.js MD5: 1e2602a3c232f31242c47a9cadccf9dd SHA1: 8edec8989770a74e287ab441f69da4aaadfa6154 SHA256:7eb94397bb3d0b2f0b9132eeb4c8ada7dfe6b97cd78dd1cf628be69c0d6b2976 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-hr.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hr.js MD5: 7582ea79c7fd35b2b7758ff103b11b4b SHA1: 84226c30a4ecf5d2cacddaa99fa660ebe51ff5ff SHA256:988c4ba1736daff5d1799897aa880ef24e31a738e99ae99cd818ee4dd93c5419 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-hu.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hu.js MD5: dee235f99823541ec88be57dec431230 SHA1: 43ca2f7eab22cf20860813dd19a4f9772ff091c7 SHA256:b19a8362602777cc9614db8f9fca8b63060b6238c0c07dfa54e03bca288c8315 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-hy.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hy.js MD5: 2f3828a4c02a475b1b8966609721b9c3 SHA1: 8c8ca28a10a0726816fa90b582d8bb1023bdf6f7 SHA256:705ff381431c46e3012cfb530a5b84540eb0f787c2e54348e84f930e6525a2a7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-id.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-id.js MD5: fb0ad98a3ad212b1986fcac5015b0435 SHA1: 86391d3567e26824cc649d8bece9d35685adbc01 SHA256:a9fae5d5808276b31b4a85ad344ee0fa050cad2147106a4d6f2d7d3c403c0142 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-is.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-is.js MD5: 447892a5c1601bb524d7e2cf5ff6cb33 SHA1: 64e30bc3d5cf0c49dcd8705d8f82ff8dc7883626 SHA256:d1b4c3263f134b715b2bcec9688a31a8c676f1c038794cad1588ad12b667f730 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-it.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-it.js MD5: 7e651d93d0219066bf596faa06db4a81 SHA1: 6dc2ba67a57cd0695d4077961d6d9e2e245ca82a SHA256:2ef97e23310c1525d262acd307b3e4b976387e44c290bdb34ce724324612745a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ja.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ja.js MD5: bf1cf98e79f2d6792c7c7a193b4c7497 SHA1: 71168b37c4a2a53b8aa30731f5fe4154df109ba3 SHA256:101380ee8d213449093b915221d72a9917018ea442c6b6058f20b1f7e5bedb89 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ka.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ka.js MD5: fd0b08bdc63b1d969fa2df907083062a SHA1: d35cfbee7786e5d29dba7ad982e5a4c7f7e5813c SHA256:659e2cc8a6a198eb17008e9d44e3f82b42a3f611c37278bd0cf956e8028c5180 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-kk.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-kk.js MD5: 57a792b4c55dc23b2095cc190180c440 SHA1: b58aa056f7e5e71ac0796bff79f214fe70f16ef6 SHA256:63077d05179199e096c0d7cc44b8a20a9a5425f2b282cda377f68bf95dd910a0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-km.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-km.js MD5: f5c6ed9f64ff97adfd29cb149176021f SHA1: 78fcad452026a541d33c6ad3a51711f2580a2736 SHA256:3a56ebf89b52dd58d4b58c04978c63eb4976a477eb91d6a2c6eabca6be37cf26 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ko.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ko.js MD5: 5fb849693b65beed7146624ba498b517 SHA1: bbbe4628d900b4bb858693e48143883d9aefd947 SHA256:0b9ee770f950e4f220deb9541b385c3f376f109e7875c311ce9ccd98f92b0233 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ky.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ky.js MD5: a5db310345d66c395b592fd2f6136bf0 SHA1: 2c66d7a4400a55876fe0a8973f6ab7bd9947460f SHA256:c49eaa510f5e3e0f271d2201e480429e15c39ada24a561a880bc5df051f5ffb4 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-lb.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-lb.js MD5: 642aa75625a4ab2c324fb5df74063509 SHA1: eaf044a0a6154d3d16c77a53ba41d38b70e3a69d SHA256:2ead8f0cc952f0cf9bbad1831a9d15fe554a2735d20ae1f4938522fb351603f2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-lt.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-lt.js MD5: 162b7b6e9e935c89b62260f13bb98429 SHA1: 171342f4742d193111e6b05bda27599ecfd68402 SHA256:821a29051e418df2bf13d6c7af1a1a6ab0bd71105872ff43e147fae9cc731e2f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-lv.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-lv.js MD5: 37874227817498b9976e5c66e4da0eb9 SHA1: d41b6eda5119a118a4206d74858e25ebb6df5c15 SHA256:5ba0490f504d0635ec8640272ca170b922905a883fd8ad408be1a018ca189b9c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-mk.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-mk.js MD5: cdfdd4b3a2e181c9ed297fa55c739d5e SHA1: f75e1af88996ce6847c0b466311dc346a813a1f7 SHA256:d31c531a148acbb9fd6d2fe064ab5886d8a469232864e381e2f405636bbfdc29 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ml.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ml.js MD5: 17fe3b0548bf5a2c9f4e0b081efaeb04 SHA1: fa67abeb3b2cfaacb309a9ee3a4fe31a9338e20b SHA256:41ffd94f610100d8d34394fa99d06d4f7f65d995274c8bb40316f391f9040a94 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ms.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ms.js MD5: 51efc50e21ae012a17f4f3cd0f2ac93d SHA1: c7dd10401add9f15bea0206a72def3c16b879cc2 SHA256:6cda00c91cbaf3bd3befa1fd81f2d1ce84d63d718e4b6db39e828f2002d74a74 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-nb.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nb.js MD5: 693af0abc258aaf903c4d4b23a882676 SHA1: be0e9f36cb1c3a233deedb271f0ddbfe1395bb01 SHA256:3fe450479f223383aa5fd3b06e2350c3f991315991f9c4e1c102ccf7525bf82a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-nl-BE.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nl-BE.js MD5: 60b63d90f6eb6ea3334ec75d6a0831ec SHA1: 4fc62c2beb91150f403cbb72510c7d73ae87a7de SHA256:c6700222a07bb785e1bcc832bbda73f56f463991ac4d0f26fc3fef30822faca9 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-nl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nl.js MD5: 8c765466b1bb2709f8c9db056029ec89 SHA1: a541272380cc332658aad66e66d673c8b33072f8 SHA256:f5879fd10c096a7f0ec223f0f8f94e22b22d4f91787092121816fe436517c4da Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-nn.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nn.js MD5: 690553270244b0de96ade29a9e04b02a SHA1: 448cd8c68641c3066a59f5f4a6e61f5eaf0837cf SHA256:f2b114961b607dd0a51b58b91389e20d336967b870ee92eceefc96cfb7b2858a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-no.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-no.js MD5: 5f531f078d367d5f10c287479533b0c8 SHA1: d345be311ae7a103e0f196e376b5b3e4eb02a4f6 SHA256:efa244f0869947d09fc669144f645c2729320f14f3a58dc477d11a79b2c1a422 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-pl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-pl.js MD5: 2d7dd09c586d4275b402d627778123ca SHA1: eb4dc9b3be180a88f820272eba452be775ed2ae8 SHA256:5a56773af857cc7f05cd8d0d8d842cd71f214591d3f4f9be2632bca9a98bf25e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-pt-BR.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-pt-BR.js MD5: 2d3c1dc7191cf5081b4f982c8cf78c98 SHA1: ac307479005fe3e316d5b2f1eaaff89bb48dcf69 SHA256:3c798cfa40d65e6f226d561d6bb7cabbe066ea87ffd474a5caaba95e2b49d605 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-pt.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-pt.js MD5: 860cea01ca64bbc3c7978d127e99b758 SHA1: 05764e8ea551fb41de1ac455c66cb6f2907259b8 SHA256:89caec9fa822a2f4f050e7d490893fc81ea39f3329f00b2c2e12986f3542bf7e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-rm.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-rm.js MD5: 0601228208954434efea2ccf265f5b94 SHA1: 15f311311bb5e0b4c91cbe3d502bf6fd1bb0a71f SHA256:a10a44725edcbac12fb505445bf79ce474c8c621a73a3c56e17b769dbe274424 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ro.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ro.js MD5: 3e888ad522a6581f99b47ad987292c20 SHA1: b80d6afa3f2276f4376cbf8ad54c79971786aa03 SHA256:69c8c0d833628a8b1cb64aa4e81e0033763e2aa3e1dc01a730615f25b2063400 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ru.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ru.js MD5: 813acc83f4f77a0d874426207da0208a SHA1: 44ca0387b6caf2a07ce61d67ca676a4d319620e9 SHA256:87981e13163fc67625491c48df4de65efe8c6b6fd7f0de35f8056c9806793ecb Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-sk.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sk.js MD5: 377b3c5fa2285a8fa665206957c95ceb SHA1: c57fce966065c4dc9561752b0b5e18d63b9bb8ba SHA256:9af151d993ad480006c4c79834f13675e532c385f1d87e94ac8f0af8172ebee7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-sl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sl.js MD5: 7b87e98ac2241fffb8f3e5bb6415ec07 SHA1: 74cdfcaf824e0d05d93e2e36764df6a4387525a9 SHA256:6658622f1ad41e7681a777c3c0b57af4715c5200505ede3b9aad41d384c28472 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-sq.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sq.js MD5: 47ea965b616f6afeab8d860d75787847 SHA1: cc5b4ebcb1dc15f47dc7f31b0c8514140314edbd SHA256:d6d0392f67288cb851141c02ffbddbc53daa4c3d632d5d0f14795c7f0d2e4bf5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-sr-SR.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sr-SR.js MD5: 3d23308dfb3943acdf90bdd46b25f9e2 SHA1: 14d201f20ab664a135aa8fc589e79e7230c7125f SHA256:e405583497af85ddd4d3560af4a85a3b5d87a45ecd229c9bc67ddedc57bfcda6 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-sr.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sr.js MD5: 7083f39fcb737210e0a13c6196f3feb4 SHA1: 7f078aac8fc2b874da5e4bac3fd2bbefe8db91d4 SHA256:3273a2131896be177f059148daa0d3437c5d0ac1f708fdfa26cd6ba290c7cdd8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-sv.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sv.js MD5: 88fbc9581e8abeac0fe083d572428c45 SHA1: 81371ecba81f44876fd3194623cd546ac508410c SHA256:a3194fe65ca854e4e941b181939f8c7257e89e1573e19ff47bcef66b1db18107 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-ta.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ta.js MD5: da7607dd5df15b0bcd4da344c33447a3 SHA1: cb4b8a146c21753647289b7ba81d08b594415789 SHA256:e19b993c51292eb6724c8678313390df52a8788e27ff4280adf0650f23d46d84 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-th.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-th.js MD5: 0f1be4ae65e24fc7d6a37dce828a9cee SHA1: 285abe42e96868c32336c9a885b511620cee0c4b SHA256:689d1a48ea4e7499b09517afc66521b4e0fbd6fa48fefd72ae65de01e6bdfd2f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-tj.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-tj.js MD5: f868a410d5438feee15a20e24e4caf5b SHA1: 7116883f259f87ebbb4b0e6ef88b586ffb8f1987 SHA256:10dece355730e6d149ee7c727737dd2265da5930105bbc061095bbc29ea07fe8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-tr.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-tr.js MD5: 6d11aae285bdd88294e66353feb284da SHA1: 43f6270d667d29a1ee9f57b8a7bbe860e28414fd SHA256:357b70d7d9e675f47456a7035bad519aad1c47ce6d6b8fa5e43820871030446f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-uk.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-uk.js MD5: e0b56bc48d64fa8ffef2b8c39f1db725 SHA1: 921bd478f57c41f261a7a42d9910217d3b285ec5 SHA256:5dd9a4954b273dd979313c629d4d749b8c2338cb75e0ed569e882a1633fa86c2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-vi.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-vi.js MD5: 7d54cb0edfbc31232d4ac12f94cec562 SHA1: 59c9a69db24682c4574038a5bb22aa748499e5af SHA256:2f398a8e354cb530f55ec14e0df4ffdbe33d1078af7625c23ad997698afa23b5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-zh-CN.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-zh-CN.js MD5: 46cc885a69ff490c660e99173dc05ea3 SHA1: b847ce3b7a3d705dc852ffb3ff76c87b20cb408b SHA256:42a616c30be97a9158cdd22ddd5dd4c6b4e91915b685a979ed1e1c57cc6a3278 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-zh-HK.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-zh-HK.js MD5: ab64f179cc7f62ba45d7708e1dee8cae SHA1: 10dea8f337339942dee63b2d67acf72ba004b290 SHA256:a8aa93f05a38dd63018a477401dd5c26ccc43fd5347f348d6bcf169c06f2f5f9 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jquery.ui.datepicker-zh-TW.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-zh-TW.js MD5: 411a70a31fe6420be6e5990ea5122e18 SHA1: c41c7f8e9b868e5aa9a831abdae909fb38ba5f8f SHA256:cc02476d6ca84ca3bffb5dcde95f4c9a6ec6b8e748766d44b2dd39409e19fb08 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jsinterop-annotations-1.0.2-sources.jar
File Path: /home/vaclav/.m2/repository/com/google/jsinterop/jsinterop-annotations/1.0.2/jsinterop-annotations-1.0.2-sources.jar MD5: 28e63b0b2da746938da412393a3b2be1 SHA1: 33716f8aef043f2f02b78ab4a1acda6cd90a7602 SHA256:9091354e2fccf3585fd0de6c5aac78418d84b15d59e5401cfb3c70ebf4950459 Referenced In Project/Scope: OpenKM Web Application:provided jsinterop-annotations-1.0.2-sources.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2
File Path: /home/vaclav/.m2/repository/com/google/jsinterop/jsinterop-annotations/1.0.2/jsinterop-annotations-1.0.2.jar MD5: 8644058594a4f656b7d0e2ade4209756 SHA1: abd7319f53d018e11108a88f599bd16492448dd2 SHA256:fcaf44731f5b6a606fa428a6d1a9ede11dc628c6f7d0f91c235aa71e337bf014 Referenced In Project/Scope: OpenKM Web Application:provided jsinterop-annotations-1.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/json-lint.js MD5: 82769a33f1e18715fd1da3cb3c3c833e SHA1: 00d5f9d13118969cc98db09627ec1a956732e732 SHA256:8662433bb44214b06d4a1005535df63b9191d930b8dd636f22aa5ac7f318e643 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
jsonic-1.2.11.jar
Description:
simple json encoder/decoder for java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/net/arnx/jsonic/1.2.11/jsonic-1.2.11.jar MD5: 6ee823936e58325ca57746c438ff1d30 SHA1: d85dcd1c5469673b58ec78ceae8a675e2c730c66 SHA256:76a787944faab6c9bea64dc78400949027ed6fb686fe9b328d18f949852bc89f Referenced In Project/Scope: OpenKM Web Application:compile jsonic-1.2.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.cybozu/langdetect@2011.11.28
File Path: /home/vaclav/.m2/repository/javax/servlet/jsp/jsp-api/2.2/jsp-api-2.2.jar MD5: dd575c153ec55c650d2a66aefc5ba9d3 SHA1: 5bf0c26ef77df58c7c28be2d9d52246f2b437a54 SHA256:cfbb2169429dbfef99f3c419622b7d6b385909aa7816adfa44501e2767a72e89 Referenced In Project/Scope: OpenKM Web Application:provided jsp-api-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/google/code/jspf.core/1.0.3.1/jspf.core-1.0.3.1.jar MD5: a6f6f8664284e590e7936693ae5c11b2 SHA1: b45a19bea43ce7dc476f13fdf26cbfedc8f2d625 SHA256:099dff0a557cb364326049df4ad1830e1ab60721f428d11ef143463a132faced Referenced In Project/Scope: OpenKM Web Application:compile jspf.core-1.0.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/code/findbugs/jsr305/1.3.7/jsr305-1.3.7.jar MD5: 144c0767e2aaf0c21a935908d0e52c68 SHA1: 516c03b21d50a644d538de0f0369c620989cd8f0 SHA256:1e7f53fa5b8b5c807e986ba335665da03f18d660802d8bf061823089d1bee468 Referenced In Project/Scope: OpenKM Web Application:compile jsr305-1.3.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1
File Path: /home/vaclav/.m2/repository/javax/servlet/jstl/1.2/jstl-1.2.jar MD5: 51e15f798e69358cb893e38c50596b9b SHA1: 74aca283cd4f4b4f3e425f5820cda58f44409547 SHA256:c6273119354a41522877e663582041012b22f8204fe72bba337ed84c7e649b0a Referenced In Project/Scope: OpenKM Web Application:compile jstl-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.
File Path: /home/vaclav/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar MD5: 82a10ce714f411b28f13850059de09ee SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558 SHA256:b8ec163b4a47bad16f9a0b7d03c3210c6b0a29216d768031073ac20817c0ba50 Referenced In Project/Scope: OpenKM Web Application:compile jta-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/julia/julia.js MD5: 719036f3ef8c87e241a695a62a2145e5 SHA1: 5fd643fe96a8cae5f2cc2a515e08dfb1c4c5e807 SHA256:a7912ef04372b32c231a965749aeecf87d102bb89777a3dfc838f5d2aa4152e6 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
junit-4.11.jar
Description:
JUnit is a regression testing framework written by Erich Gamma and Kent Beck.
It is used by the developer who implements unit tests in Java.
License:
Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txt
File Path: /home/vaclav/.m2/repository/junit/junit/4.11/junit-4.11.jar MD5: 3c42be5ea7cbf3635716abbb429cb90d SHA1: 4e031bb61df09069aeb2bffb4019e7a5034a4ee0 SHA256:90a8e1603eeca48e7e879f3afbc9560715322985f39a274f6f6070b43f9d06fe Referenced In Project/Scope: OpenKM Web Application:compile junit-4.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
CWE-732 Incorrect Permission Assignment for Critical Resource, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/mediaplayer/jwplayer.js MD5: 299783690ae05d071cb75408656d6435 SHA1: aac73ea081f8a850de95bd907a66992c6ad7e7ac SHA256:d8a927b0a0d1490b1771fd6980a7e827d5192c6065578ada7a550cd8e3641461 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ka_GE.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ka_GE.js MD5: e288aba75f3368a8007774f9d641198d SHA1: cf13d1cb69676b05bdb0b31ce263a23dca005272 SHA256:81c023d83ea778e394a02792ebc3b6b8bdab3881f0e8610a52c7adc8483b3045 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
kk.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/kk.js MD5: 8d2c652ce0ecfb2b97a9c6c2bcd7a5de SHA1: b81abab163c593f93b9710136d8bb3b9e3e9903c SHA256:776aa27cdf62d3d6bc57baea443b6fe4ebd6f721ad6f7954703f6667061bc808 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
km_KH.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/km_KH.js MD5: 3ff61481d97b27ed6bd94706630e50f6 SHA1: dd583cc9446989353f369c808706efb0b047faa9 SHA256:82a7dc971826e22438e2de82d95a31f5b27236ece4dbb2e50062f7e9e97470fc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ko_KR.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ko_KR.js MD5: 5da9a34b5205e8ac872b66c93da46487 SHA1: 5d2c0cdc65efbe0a019e99bf299ea9714a7276aa SHA256:d8f8c591e457c0fcae43ee1ddd7d7a441a1519b21b0460c18f074d9c3ed4f485 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
langdetect-2011.11.28.jar
File Path: /home/vaclav/.m2/repository/com/cybozu/langdetect/2011.11.28/langdetect-2011.11.28.jar MD5: 8866b8b89f180a038fe756c6fb670028 SHA1: d8e4ab8d1b35ec369b3b57c40471ea582dfefd73 SHA256:c710f1c23aec1ca4b0f28cfc828d6bfd259aa3e3cd818fdb293069b7bbc4f066 Referenced In Project/Scope: OpenKM Web Application:compile langdetect-2011.11.28.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar MD5: 19ec751a4fe907ddb204dff93103acbb SHA1: d90276fff414f06cb375f2057f6778cd63c6082f SHA256:98c3f18f5d0d642cd5f327cc724566cd19649626c7d88f70143bd704c94157d5 Referenced In Project/Scope: OpenKM Web Application:compile logback-classic-1.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-6378 for details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
File Path: /home/vaclav/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar MD5: 94975ef44aa05c5067563875a783351e SHA1: e3c02049f2dbbc764681b40094ecf0dcbc99b157 SHA256:47c0fd342995d3315b8faccacc324b2a76143b27c430d4b2d6a29eabc31f5c14 Referenced In Project/Scope: OpenKM Web Application:compile logback-core-1.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/ch.qos.logback/logback-classic@1.1.3
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
File Path: /home/vaclav/.m2/repository/de/sven-jacobs/loremipsum/1.0/loremipsum-1.0.jar MD5: 153f5cd006087d99099fd5b5a8c17d10 SHA1: 91bf10988b4a30a30786e53ca72b51b5f44c4458 SHA256:a7f945949ad766da798cb5fb7087a2d83512a5a848391a872004e07e6d00d34b Referenced In Project/Scope: OpenKM Web Application:compile loremipsum-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/lt.js MD5: ad72abfb2895ac0855eea09e8480b691 SHA1: bcdb1073b61fb8fe5c8662062faeb575d5209127 SHA256:b5db33b254b1eb6a2da2d71e9f9186728776e9d422633d2be5440f61f1bd24c7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
lua.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/lua/lua.js MD5: ce04636ef891d1e9bd633eae5a954ba7 SHA1: 079652e566ac50c1063b3bbbb3388a9f9d20f53e SHA256:d8e80854ae6bff0904c1303de3a5dd834789db2d535535a89402556eaa2ec4d3 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
lucene-analyzers-3.1.0.jar
Description:
Additional Analyzers
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-analyzers/3.1.0/lucene-analyzers-3.1.0.jar MD5: 52982b9865f1ea4af4f545ae67c128f8 SHA1: c5100d5ebcb703824de93c71c21dd99a88e16264 SHA256:4ed9e4fe767157de9d9409ad5240866c63067c564cc816816dc8bdd1ef2d4923 Referenced In Project/Scope: OpenKM Web Application:compile lucene-analyzers-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-core/3.1.0/lucene-core-3.1.0.jar MD5: 84f0ab76ab7915b7eae98671e43a1e3f SHA1: 346e85978e23f126cbc821ac2b6528bd4e510296 SHA256:b72d617511051cbafe947833b4b4527e8f8617c454f3713f673d74adc29f7942 Referenced In Project/Scope: OpenKM Web Application:compile lucene-core-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-highlighter/3.1.0/lucene-highlighter-3.1.0.jar MD5: 9b008521bfff4e6a301bb8326bb68765 SHA1: bbb7136982fd24ac5aad14df3af4a4b23c9b662a SHA256:b7625859e59a9710280b824b63e7927af30431a60ad8a37d46fbe146c07ca1b8 Referenced In Project/Scope: OpenKM Web Application:compile lucene-highlighter-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
High-performance single-document index to compare against Query
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-memory/3.1.0/lucene-memory-3.1.0.jar MD5: 727fa0098f264b4a1a7cd6959cdffe6b SHA1: a2b306f0e142bb6467ba62d0010721fded14fa01 SHA256:e12625df29cb90c14f63305283ca454aabad3f7fff41fae0f5a0c9cbe7781d02 Referenced In Project/Scope: OpenKM Web Application:compile lucene-memory-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-misc/3.1.0/lucene-misc-3.1.0.jar MD5: 4d3aef83d0889181999ae530ac620d5c SHA1: 99cd3561507b065f5292f15743bd1f5da3025ca6 SHA256:a3fbfc764cfc43e3e2da770b9eb8badf74ec20fb313b09b505f6d7ff17b8127f Referenced In Project/Scope: OpenKM Web Application:compile lucene-misc-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
Queries - various query object exotica not in core
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-queries/3.1.0/lucene-queries-3.1.0.jar MD5: ab8fcd539683ec321436421e7f4e75f4 SHA1: 2334ff134af64789d505c7e2818cbe23b9f77c3f SHA256:cd833414690bb3c1108b252ca66e7b395e9c94d5ad305ffb5a089c657597febb Referenced In Project/Scope: OpenKM Web Application:compile lucene-queries-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-smartcn/3.1.0/lucene-smartcn-3.1.0.jar MD5: 82a9fcf1db8601d16c7edab3d42236b8 SHA1: 1f800a09e14e76c9d8e79ba3c9fa3b659004452d SHA256:24b25853fa4a4863f72096d3a44727bfb2fdada6bf3ef89ce7a4edb3d9bc0670 Referenced In Project/Scope: OpenKM Web Application:compile lucene-smartcn-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-spatial/3.1.0/lucene-spatial-3.1.0.jar MD5: a13c130c4d912ce62c760fa08f072d7b SHA1: 50929b60f8aa61540c1c37c1bb4346e7b6c05f54 SHA256:cec17a32a174ecc3eccd8e90b3ea036fe5b27d5d475d64d3f8a9b5db5e2f5d0a Referenced In Project/Scope: OpenKM Web Application:compile lucene-spatial-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-spellchecker/3.1.0/lucene-spellchecker-3.1.0.jar MD5: f9f0cce47fa28854ec1da37dfef1766c SHA1: d0b34455273bfad85db4948c0c722f505670230d SHA256:921aa62f7e45d563f7f69b4eeb4f2e926deb9e276fa5d1788657ed037c48f7c9 Referenced In Project/Scope: OpenKM Web Application:compile lucene-spellchecker-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-stempel/3.1.0/lucene-stempel-3.1.0.jar MD5: 42f8a10b8eb231c9596535f57046668c SHA1: 5cb339ba2c7c8fe60d5209c8eb4fcfb1e9d21bbd SHA256:151f33ab653e98e9e75ea73d4683eff8d5265a1824d218ab9cddd34e7b5aaa4b Referenced In Project/Scope: OpenKM Web Application:compile lucene-stempel-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/lv.js MD5: cb529a1758b0ba9c3851bbcddc9782b8 SHA1: cd2b72b8c26902afe31445f8d32c9728a2da0dd9 SHA256:83a9461c5b34565faaa435bd5badf9c1b2a58ed7f7934ee5c96df6505dc4f091 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
mark-selection.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/selection/mark-selection.js MD5: 507aa55d1fcd70b91dcb696dc3bd778e SHA1: 0b029851289274525d4a3cfa8824a6eff37bcb4b SHA256:49d41cf838dd1d4969097ae99eb5955c1c85785f0ce20f0f9f13c50ff3e5b729 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
markdown-fold.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/markdown-fold.js MD5: 6c40139c3c6a06a7c7d6fedde26dafeb SHA1: 3c8168603eb44850e0e55b0ba322303072d7635c SHA256:af715924a218cdf9a96b5341eebf84fd51576857a992f86dfadd3053a1a4e270 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
markdown.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/markdown/markdown.js MD5: 755d1507d859de315845f643d7a15c7a SHA1: 47e834eff7fc5a17ebd452f7619e52f53fc728c1 SHA256:59f0bc7c9ce9af7ab6a7b0c36a3c58d143cfd294723d53990d622f60479fadd0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
match-highlighter.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/search/match-highlighter.js MD5: 9453d57dd359fd804723e49c044d943e SHA1: aba65691de407adb2dcfbab92d3ebbe9655bc28b SHA256:44ef08ac13d37b7d83a24c58d871634cb5325b7ba638f89a9293cc93f4f3b0bc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
matchbrackets.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/matchbrackets.js MD5: 7161292fcb7991bc001216f1ff4660cc SHA1: 0c385be2fb0992ccc5e331fb7e24636cc5d6df28 SHA256:514db3a9f1838a22983454162a47e9e3efba3e037ff3f688a3ec9148b3695d9b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
matchtags.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/matchtags.js MD5: 4b0b6b3278dd26ee7de91fb57a746f2f SHA1: ac8d4795090ac881d9a3a9e83962526fd7692b0e SHA256:f0486606ef875ae2c6b3eefd4c01ff9ea8020bdfc72163911f84612f054e9592 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
mbassador-1.1.10.jar
Description:
Mbassador is a fast and flexible message bus system following the publish subscribe pattern.
It is designed for ease of use and aims to be feature rich and extensible
while preserving resource efficiency and performance.
It features:
declarative handler definition via annotations,
sync and/or async message delivery,
weak-references,
message filtering,
ordering of message handlers etc.
License:
MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /home/vaclav/.m2/repository/net/engio/mbassador/1.1.10/mbassador-1.1.10.jar MD5: b85f208787fda54300adc3b4a789a3e9 SHA1: ca527ef1806b999b1efdc54ad62ec4984c59fefe SHA256:c9371e6712c8875b4e4f81c5d20c2a3bfd99913ad312dffa5ebb25300cf5da83 Referenced In Project/Scope: OpenKM Web Application:compile mbassador-1.1.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/merge/merge.js MD5: 108249d50e4ff8b3fc6b709b8209c902 SHA1: fa30f595abbd0e9caff4a74d9be2c05be08f262d SHA256:312b05ad5a1ed5cad0a4b0bab92ac328b5684de6e5e435b4d0a263acab8533b3 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
meta.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/meta.js MD5: 327ffd1122c292df9aeb47cf74fddef1 SHA1: 5747828d7c47cb592a4ab17d74ae5b4f1b3dfd8e SHA256:6311055d60b81a21f8bf6e155cec08ff3a02eb692cda3cfea349cc4d09835ab7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
metadata-extractor-2.4.0-beta-1.jar
Description:
a general metadata extraction framework
License:
public domain: http://www.drewnoakes.com/code/exif/
File Path: /home/vaclav/.m2/repository/com/drewnoakes/metadata-extractor/2.4.0-beta-1/metadata-extractor-2.4.0-beta-1.jar MD5: 6e0ad2f0fe78047cb34ec056b39633d3 SHA1: f1c0f6c2ebfbe2b11dd04559ad438728e4636d53 SHA256:b65fddb758066fcf0c0750fa6007715fef11927ba90424159562527ecbe4dde8 Referenced In Project/Scope: OpenKM Web Application:compile metadata-extractor-2.4.0-beta-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.
CWE-755 Improper Handling of Exceptional Conditions
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
CWE-770 Allocation of Resources Without Limits or Throttling
Metrics is a Java library which gives you unparalleled insight into what your code does in
production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
components in your production environment.
File Path: /home/vaclav/.m2/repository/io/dropwizard/metrics/metrics-core/3.1.5/metrics-core-3.1.5.jar MD5: cc57fc46b3c5404655e23cfea6f7ac15 SHA1: b07d2c8b79a11dd0a7d6d48adc96f396d7b58808 SHA256:79d903d4ae850c9dee8d3939e5bd8d4172a91fda40b31b7e40a5d8c3e1fe4534 Referenced In Project/Scope: OpenKM Web Application:compile metrics-core-3.1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
File Path: /home/vaclav/.m2/repository/com/ettrema/milton-api/1.8.1.4/milton-api-1.8.1.4.jar MD5: 9ccf7c67fb4fde0df82e832172ca8437 SHA1: af352cf80691fc16800808baf525ce46ee6e7941 SHA256:93a36cc0aca128ff251e6ef4d5eb2588454b9800bdf5efa182367cd319ec780a Referenced In Project/Scope: OpenKM Web Application:compile milton-api-1.8.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/ettrema/milton-servlet/1.8.1.4/milton-servlet-1.8.1.4.jar MD5: cd0ae3a0fb9bec20812024a334148945 SHA1: 843132e771a7873894e9098ffa1a1a0822c67c19 SHA256:b83dc77464c12abf023167a1dd5d3760fe3cbfc5e4b4b3d84a24178380d05d47 Referenced In Project/Scope: OpenKM Web Application:compile milton-servlet-1.8.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect
MIME types from files, input streams, URL's and byte arrays.
Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar MD5: 3d4f3e1a96eb79683197f1c8b182f4a6 SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47 SHA256:7512022ecd4228458a0ab456f9fcddac21f0759f1b07100c3528174eb63bdcaf Referenced In Project/Scope: OpenKM Web Application:compile mime-util-2.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.ettrema/milton-api@1.8.1.4
File Path: /home/vaclav/.m2/repository/org/jvnet/mimepull/mimepull/1.9.4/mimepull-1.9.4.jar MD5: c2d46f041ac535d98ff32169beb5468d SHA1: 6ffca64fe0209a94c5a973a32e93b5eae0ac384e SHA256:903d65a5724141ef25d7e4c98e041b868b0e2a4a43afd724509aee3153889358 Referenced In Project/Scope: OpenKM Web Application:compile mimepull-1.9.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/mirc/mirc.js MD5: b159f0b7d6f933d706e75eb6edd2aef1 SHA1: 9a4612d214c16a3e7bfc26d48dcf35a0cfbb991c SHA256:13c688e10ab849bc0a9268ff950fe16526820b15ac6534609150fff4009f9747 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ml.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ml.js MD5: 45e75b84865446f15edcab41d33314a7 SHA1: 59a4f4628dc954f152b20ccf8dd891c136c8530a SHA256:4c350934724bb70d19ecba49e559407a41d27ce9ee9a03faed8ecaa352d71dab Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ml_IN.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ml_IN.js MD5: 9d5fb7ece346a98047b34b12e25255d9 SHA1: 19214b56d959ca38aa41c51320eb091982219e72 SHA256:734f4bd809fad57f09202df42ec6f090b9af87b93d667e829b90ff2b6ecdc015 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
mllike.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/mllike/mllike.js MD5: 731c2ed97f1e72887eb0ca47e3b18194 SHA1: a03698747d40ce2ca0d31318b6ea5d8063787865 SHA256:c997ce47982f887ba4dd264be84296cae393cef11ac72178aab0574765e7d896 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
mn_MN.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/mn_MN.js MD5: 90ff2a1ba6669c058c944332247ba4e3 SHA1: cd761f3a7c171b6ab7ba1c9a19ff9b5e8e3a9a3e SHA256:ac4feea3e78431f5c4dac45abb1d4e086c3943df0ba1d29ab4143fa4a1c30aaa Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
mockito-core-1.9.5.jar
Description:
Mock objects library for java
License:
The MIT License: http://code.google.com/p/mockito/wiki/License
File Path: /home/vaclav/.m2/repository/org/mockito/mockito-core/1.9.5/mockito-core-1.9.5.jar MD5: 6f73cf04a56eb60aaa996506e7c10fc7 SHA1: c3264abeea62c4d2f367e21484fbb40c7e256393 SHA256:f97483ba0944b9fa133aa29638764ddbeadb51ec3dbc02074c58fa2caecd07fa Referenced In Project/Scope: OpenKM Web Application:compile mockito-core-1.9.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.googlecode.catch-exception/catch-exception@1.2.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
mockito-core
High
Vendor
jar
package name
core
Highest
Vendor
jar
package name
mock
Highest
Vendor
jar
package name
mockito
Highest
Vendor
Manifest
bundle-symbolicname
org.mockito.mockito-core
Medium
Vendor
pom
artifactid
mockito-core
Highest
Vendor
pom
artifactid
mockito-core
Low
Vendor
pom
developer id
szczepiq
Medium
Vendor
pom
developer name
Szczepan Faber
Medium
Vendor
pom
groupid
org.mockito
Highest
Vendor
pom
name
Mockito
High
Vendor
pom
url
http://www.mockito.org
Highest
Product
file
name
mockito-core
High
Product
jar
package name
and
Highest
Product
jar
package name
core
Highest
Product
jar
package name
mock
Highest
Product
jar
package name
mockito
Highest
Product
Manifest
Bundle-Name
Mockito Mock Library for Java. Core bundle requires Hamcrest-core and Objenesis.
File Path: /home/vaclav/.m2/repository/com/auxilii/msgparser/1.12/msgparser-1.12.jar MD5: f81902a49613cfe7316fdbca41317c8e SHA1: 6fe3122ebd95914b5a546e6390aeb1e14d75d2c8 SHA256:9a1f6ebfeaef46da25f430280f8c623f6c1e45afc120c46bccb408d810334397 Referenced In Project/Scope: OpenKM Web Application:compile msgparser-1.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/mode/multiplex.js MD5: 33ad8c8d3b016bc2935afdc223dc8ccf SHA1: 6f402341990dcdc0884cf432aa86f6a1d9eb3a40 SHA256:0afbb4e3f601c50b773bdd677ab7e7e3b3cb04a776b4cd28936c11a3c52315f8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
multiplex_test.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/mode/multiplex_test.js MD5: 9b495b24f2c22cc50dbb554a396f733b SHA1: f8e47b799fb9073f61903c943b00c984df618740 SHA256:9956ae95af26db1e175c3ecbb510ede73849407941639de605fefd46adc18f21 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
nb_NO.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/nb_NO.js MD5: c106b632b91ed96bf59e57d3a3248fd8 SHA1: 02718c5464ea30fe6747327662be70553c721093 SHA256:efddb2470fe0080627326cbc336f68bf19928432c5d73268bc5904f8c269032c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
neethi-3.1.1.jar
Description:
Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/neethi/neethi/3.1.1/neethi-3.1.1.jar MD5: 13dd27a2bd870dfb01d67a086a8c1948 SHA1: 3a942a7921e66bb0081b16cf8f8a68e456b91de1 SHA256:7f8c00d9bbfbaa97a97a461cdeadb20054b956acb7536782703ca5a9a330ff22 Referenced In Project/Scope: OpenKM Web Application:compile neethi-3.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.14/nekohtml-1.9.14.jar MD5: 48e909b5cab667a8718e6e322f5ce75d SHA1: 712d3d54f758c9f6cd33d954b0b963bdb27514d6 SHA256:8ab048645c8faf73540475afb513d7354e1b6e0fcaf98bb842ab81605ef80ffd Referenced In Project/Scope: OpenKM Web Application:compile nekohtml-1.9.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/nginx/nginx.js MD5: 95db8c4d095958979a2e3aa2f08ba493 SHA1: 5f6ee414c04f6dea6cbd340c69691d8d813981fb SHA256:7a3a59ca08ace4d0954ba578c47d4e8aa474a31df3f765cd50f6209fe1bc37ef Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
nl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/nl.js MD5: 208eae38f0efb03973ea89170be7cdd4 SHA1: 09baea88f269c9ea1c8d50ce5ebfc664c97d4d18 SHA256:f2f2b83927cfd5f9e26f08b1228417490138c18df12af324c7f8f0fcb318bd0c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
npm.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/bootstrap/npm.js MD5: ccb7f3909e30b1eb8f65a24393c6e12b SHA1: e2b7590d6ec1fdac66b01fdf66ae0879f53b1262 SHA256:c7aa82a1aa7d45224a38d926d2adaff7fe4aef5bcdafa2a47bdac057f4422c2d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
ntriples.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/ntriples/ntriples.js MD5: 31172849c60958f569a7f394e3794b50 SHA1: 26faf92f822690c2e14d6a211f2e943ef83826e9 SHA256:bd438c03b0261982696b03da6d040acb5043a0d80cca1f20b0182859178987ae Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
objenesis-1.0.jar
Description:
A library for instantiating Java objects
License:
MIT License: http://objenesis.googlecode.com/svn/docs/license.html
File Path: /home/vaclav/.m2/repository/org/objenesis/objenesis/1.0/objenesis-1.0.jar MD5: 1989c831f28c92fae9b333cf5c9f9926 SHA1: 9b473564e792c2bdf1449da1f0b1b5bff9805704 SHA256:c5694b55d92527479382f254199b3c6b1d8780f652ad61e9ca59919887f491a8 Referenced In Project/Scope: OpenKM Web Application:compile objenesis-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.googlecode.catch-exception/catch-exception@1.2.0
File Path: /home/vaclav/.m2/repository/org/odftoolkit/odfdom-java/0.8.6/odfdom-java-0.8.6.jar MD5: 721eab6944ea0e1a63659380790b34e3 SHA1: f8e2f85cc5a697619784f50fd2a086d51dcc78f3 SHA256:b54ffce15aa8cb32e1652d97987648fb39ffe304c23563d9e028b6b997e0d596 Referenced In Project/Scope: OpenKM Web Application:compile odfdom-java-0.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/catcode/odfutils/051129/odfutils-051129.jar MD5: 8204cdb8f048ded10b2819f28fe668ab SHA1: 789ed4706def560c0a5877f164916d21eae627c0 SHA256:420a340161eebbedeb735569f1921b7e801f5908212450e2727429a2203b82a9 Referenced In Project/Scope: OpenKM Web Application:compile odfutils-051129.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/okm_mail_tinymce4.js MD5: 9a5e05de05eccc108faa5838c534f628 SHA1: 9768da7cca740dac2a9b9ed43f479c983c65ae77 SHA256:85f7b1191148afd5d6f4a9be6a0bc29ad9812345e343e641d388b6e1d125a096 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
okm_tinymce.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/okm_tinymce.js MD5: a2abc512a86e6f51d8a766b845f92bb9 SHA1: 55ece1dacc760f074f6b41d57c27d9c6eaf22846 SHA256:25dcfd383f0c740c986d4c205409d8709df976b7611572150c62883860bbf430 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
okm_tinymce4.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/okm_tinymce4.js MD5: 399d5a75228069faa9a8ca7137d0b278 SHA1: eadcbf0c433219905c5d9b3d7849e2d374fbcd4c SHA256:ed7c0ff1115a73e527337958b8947f9da4932a9f5c65fdb3747f85bf624a1ded Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
olap4j-0.9.7.309-JS-3.jar
File Path: /home/vaclav/.m2/repository/org/olap4j/olap4j/0.9.7.309-JS-3/olap4j-0.9.7.309-JS-3.jar MD5: 6c33ba624b1c6c2b2f076fcf8438b762 SHA1: b959e1e72a5ab17668609edb2949b09a6a51b82e SHA256:caa9a1c5c44fb809a9bd8456050054d07be18c990a4962cb9efa53902675eacf Referenced In Project/Scope: OpenKM Web Application:compile olap4j-0.9.7.309-JS-3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
File Path: /home/vaclav/.m2/repository/ca/uwaterloo/a3seth/omr-tool/2007.07.01/omr-tool-2007.07.01.jar MD5: 1acef58ac151e9abacf249e2148b74a9 SHA1: 4489a87ab36752119b9ee8c396f3b00303f5e74a SHA256:1a4938cbabc5886b408050519748687e3506b8579b4b224655dc8c085ca7b639 Referenced In Project/Scope: OpenKM Web Application:compile omr-tool-2007.07.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar MD5: 53e4e9a1b84557d3d8c2c0ed37e742be SHA1: 15ac9626ce3700377bf31477e61ce6fc71885571 SHA256:7d38d76027e0fc5fac60ae93cad07b5f5bd84d9bce7de281277a035eba163901 Referenced In Project/Scope: OpenKM Web Application:compile onejar-2.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/org/opensaml/opensaml/2.5.1-1/opensaml-2.5.1-1.jar MD5: 1d7b3adc3f43fca064ff44faaf3e21bb SHA1: 9736dcbe852dda3ce263a9c6e33579cd5af203e5 SHA256:dbbcb9c9030312255b754a6154f1483009ec9637854a7de943d2682a47310f31 Referenced In Project/Scope: OpenKM Web Application:compile opensaml-2.5.1-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
opensaml
High
Vendor
hint analyzer
vendor
shibboleth
Highest
Vendor
jar
package name
assertion
Highest
Vendor
jar
package name
opensaml
Highest
Vendor
jar
package name
security
Highest
Vendor
jar
package name
support
Highest
Vendor
manifest: org/opensaml/
Implementation-Vendor
www.opensaml.org
Medium
Vendor
pom
artifactid
opensaml
Highest
Vendor
pom
artifactid
opensaml
Low
Vendor
pom
developer id
cantor
Medium
Vendor
pom
developer id
lajoie
Medium
Vendor
pom
developer id
ndk
Medium
Vendor
pom
developer id
putmanb
Medium
Vendor
pom
developer id
rdw
Medium
Vendor
pom
developer name
Brent Putman
Medium
Vendor
pom
developer name
Chad La Joie
Medium
Vendor
pom
developer name
Nate Klingenstein
Medium
Vendor
pom
developer name
Rod Widdowson
Medium
Vendor
pom
developer name
Scott Cantor
Medium
Vendor
pom
developer org
Georgetown University
Medium
Vendor
pom
developer org
Internet2
Medium
Vendor
pom
developer org
Itumi, LLC
Medium
Vendor
pom
developer org
The Ohio State University
Medium
Vendor
pom
developer org
University of Edinburgh
Medium
Vendor
pom
developer org URL
http://itumi.biz
Medium
Vendor
pom
developer org URL
http://www.ed.ac.uk/
Medium
Vendor
pom
developer org URL
http://www.georgetown.edu/
Medium
Vendor
pom
developer org URL
http://www.internet2.edu/
Medium
Vendor
pom
developer org URL
http://www.ohio-state.edu/
Medium
Vendor
pom
groupid
org.opensaml
Highest
Vendor
pom
name
OpenSAML-J
High
Vendor
pom
organization name
Internet2
High
Vendor
pom
organization url
http://www.internet2.edu/
Medium
Vendor
pom
url
http://opensaml.org/
Highest
Product
file
name
opensaml
High
Product
hint analyzer
product
opensaml
Highest
Product
jar
package name
assertion
Highest
Product
jar
package name
opensaml
Highest
Product
jar
package name
profile
Highest
Product
jar
package name
saml
Highest
Product
jar
package name
security
Highest
Product
jar
package name
support
Highest
Product
jar
package name
version
Highest
Product
jar
package name
xacml
Highest
Product
manifest: org/opensaml/
Implementation-Title
opensaml
Medium
Product
manifest: org/opensaml/saml1/
Specification-Title
Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1
Medium
Product
manifest: org/opensaml/saml2/
Specification-Title
Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0
Medium
Product
manifest: org/opensaml/xacml/
Specification-Title
eXtensible Access Control Markup Language (XACML) Version 2.0
The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
CWE-347 Improper Verification of Cryptographic Signature
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-297 Improper Validation of Certificate with Host Mismatch
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
File Path: /home/vaclav/.m2/repository/org/opensaml/opensaml-core/3.4.6/opensaml-core-3.4.6.jar MD5: 078679e8cb6a0c3361eac985019e8e5b SHA1: 75b749a9ce605414d071ffabbf7e61cd11b9204d SHA256:d9b867c9c2b6a44d75a95504a467d94b5183def09fa1f3f0f1a95a79621ec1e1 Referenced In Project/Scope: OpenKM Web Application:compile opensaml-core-3.4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include
classes for creating and reading SOAP messages, transport-independent clients for connecting to web services,
and various transports for use with those clients.
File Path: /home/vaclav/.m2/repository/org/opensaml/openws/1.4.2-1/openws-1.4.2-1.jar MD5: 8f84c09de5295c630e21febcdc09521c SHA1: c835fd5214632ed4befbca23dd42e062e80ceb85 SHA256:bf0e2dbc0fd359b6d2c872a7d1b4c12e1e4f7f6eb6114801d6ebcaf8af7afca4 Referenced In Project/Scope: OpenKM Web Application:compile openws-1.4.2-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4
File Path: /home/vaclav/.m2/repository/org/apache/pdfbox/pdfbox/2.0.13/pdfbox-2.0.13.jar MD5: 91d98c9a48cb6e89a3a1eeb4294f2665 SHA1: 389abca354e682d65e500c57856b75130d015e77 SHA256:a373578f0efe7411e1c63181512bbb93f9eb528dd9c05655986ca5e372fe3634 Referenced In Project/Scope: OpenKM Web Application:compile pdfbox-2.0.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
CWE-789 Memory Allocation with Excessive Size Value, NVD-CWE-Other
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/pegjs/pegjs.js MD5: 4d389ae83006d3851b6f407341756b55 SHA1: e473d5332c8e536806c17648eb0b8d6762c63446 SHA256:46ec8ef3ae56a568954c8062a6fa78d76d345215ae93d05e18900647ffd734d5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
perl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/perl/perl.js MD5: 2a939d012c58da9a748515f47f92b65c SHA1: e8e98ad85af974e44d5cd25ac04ba313ce258f14 SHA256:a755a93edcc3e02ac21440909b605cd9d00da24636aad8e1af897060770c908b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
php.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/php/php.js MD5: a0764da08e0d5581fc9b1fb8607ed584 SHA1: 1ecf2701c983434752ffa9301e0ae4ac9a97d86e SHA256:876af57b49ff9930eced74e3c0f72aeca1fd994deaf86c30a5860a14c9c006c0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
pig.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/pig/pig.js MD5: 73b355c294616f46a678e0c6c2ba8111 SHA1: 36a19f25f889035f1db4f7155bff30e26de8aefd SHA256:996a096b2dd30570fa678b16f8a802843ae04786564dd10cf5714a7ad4a172c4 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
pl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/pl.js MD5: 8cfca9822e9d0366f55ff09bf301d893 SHA1: 248889ff5dfdd996065ce8cd55aec10caf75f1ba SHA256:1fa8e11bf6eda8624c13e9fdc3bf53015601768a7c0dc0e7942ba62c925496df Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
placeholder.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/display/placeholder.js MD5: 61ed0cc4d000f3dee5390e8111797d80 SHA1: 7af480851e1c3979926f60a77ea6e36f88938a8f SHA256:857ffa6a2da4591c38c3380359fd6be362f089190374a69a44e4b18660fb1b75 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/advlist/plugin.min.js MD5: 6d203268ff6a5d95cdffd26dd3f6df76 SHA1: 2dea2e8b7ff9105336fd25b1c806c5a606700457 SHA256:ed03753f856b75361c96d4c09f1f69503fd5e9ef6bf17b81bbdd10c0b4b65bd5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/anchor/plugin.min.js MD5: 25917fb0c34e22440af7f5814b8744af SHA1: 0069acafb2ce1b8db76d6b95ebc8ac7b50e4bcb4 SHA256:c8b1b31717dfcc1e23e499ceb48673972d7b4048d2c2665dbfee3a1470791a63 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/autolink/plugin.min.js MD5: d3f8d3767cd94dbed5e714f510d1866e SHA1: bdcc52e2998616f17edde223ef301f922ebb9fdb SHA256:65b7dd2e8c7e43f4dca681ed0046cf9a7ef936ba2bac322293501e487f5a282d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/autoresize/plugin.min.js MD5: 259de19c7495767e92dec10636da77b0 SHA1: 88e1303a6a59898a506643c56140419a9e83bef8 SHA256:115f209eb0d74ee8ba336af5da1de90da3f80bf01714c59d1516abc75ee09482 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/autosave/plugin.min.js MD5: 4dec5af212b093dd999c9f823138b645 SHA1: 16db5893d5965e0575b5cd77b1d48ed1423f0ed6 SHA256:f383956470d386011b9b5670b2180f11e91149e84fa28a19484ae6f493391bb1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/bbcode/plugin.min.js MD5: c0659a68f5de69f1b1632b73a2c534cc SHA1: b3658b1fdccdf61bb2f191470b06392aab77a536 SHA256:2870e899d5cf02a1a82187b8a647a0d0daaec2f9811193547dd650909f9382bf Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/charmap/plugin.min.js MD5: ac627e9017143d091eb11ab6cf1ee68b SHA1: b747b4b601432983ebf7d5d090071bf29994f94f SHA256:49587e8bbf1f94017364818a845a3a4462f49fe4229d291aaafb6b44d6b39cab Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/code/plugin.min.js MD5: 96c43004c75f30ec4d04acb9ac40cb37 SHA1: 6ef45e5c18feb4c2406f8c7a28eae34d4ab1a053 SHA256:d32445165313980bc57839df2fa01027a9308cb014cb839410db5f5969219542 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/colorpicker/plugin.min.js MD5: 1581bb02286f54b4fb0cce52d2ef61c7 SHA1: e686620051b5d7f533ab6f813063ac604d9d262e SHA256:02eb6d55dc132f735d9ab8ef11259b2e25f0dd2ce157dce681d74b7307fb0ac4 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/contextmenu/plugin.min.js MD5: 7e934aa155cfa1a906f53f6fde407f8a SHA1: 1efe6588e5f4417ee7f5c26e1d7acaa5d59fe2ba SHA256:a5238c4a8852f7b071c7a25fb4209e86a0a16a4477543f5bade0853c866b76bb Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/directionality/plugin.min.js MD5: 60de57253ca9143a6f1e4aff10fc39d2 SHA1: 26131f3f28f9f931e9ea0a8e5f1ef007706f3fc4 SHA256:fa1798550b63291ccc9bb67dbc71e857991eacbfb18095458e992d6316b714a8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/emoticons/plugin.min.js MD5: 5765b009c97598ad485fbd571b4c299a SHA1: b9769dd1dbb31f3a676c262d8f34cfdaabdac21c SHA256:a7c74ec69db8d8a53c027eb482ed09cb67fca1ea0b6b5422d864ff4af898d540 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/example/plugin.min.js MD5: fd84cb88e227c48e5c63cc84abeaed68 SHA1: 296bb1093117ac72789fb569ae9bc58afefce56e SHA256:4abac3a744202bb8f0b08fddf719274b7268ed84a78ab0457a71206d1b7337fe Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/example_dependency/plugin.min.js MD5: 8751593f8a00cc41f908aa4dc5f8c938 SHA1: 542cfcc2e403635375337eb796866f4f215cb3f7 SHA256:b34159ea7a4f528369cef895f67eb5be0d293e5f16fb661f01de71b1c22c0e1e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/fullpage/plugin.min.js MD5: c7deb7a49ed4ea4a4ec5556cf7c48f41 SHA1: 8cb06f65beb1374bc42fb65b808abc8df16dd94c SHA256:2d27fd6eff55c587623bfc813cd00780a4a91d982a254a28bd9f513e97e468bd Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/fullscreen/plugin.min.js MD5: a7a67d1de1a0330fc7769d384a6564cc SHA1: 8f2c4fc413526d1353c45a5bdc354812785c9439 SHA256:8493434d9d4fe38beeb02b66ca63a3cfa1b204c4afde4fc76a3e0bcb6136ef63 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/hr/plugin.min.js MD5: 5c23255ad2d11db3f72c33b649f1389a SHA1: 6a305889f4b3e54a46d82c37d1e782bebc78185a SHA256:1880a72526a3788c1483b4b3403d5510c501e985cbb4421ccebe1065b5ec2c6d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/image/plugin.min.js MD5: aa1f3a90e6a46868d4fe85ca73dcf7ee SHA1: f72801281196df1233f2dc9f9abb79f2daf54e8b SHA256:9a51a338f96fe0fd2f97f622ab5b48723e2c377c13e2680ec7789b239c58e179 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/importcss/plugin.min.js MD5: 46010d328fee5d680f92277de734ae0f SHA1: 494c5b8dbaba4de5ed2f87bfa8603a32ed57fd56 SHA256:bcc827f4db1f3c157e50ce206a67c0438f6a40660f2a87fbb972148b7e269007 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/insertdatetime/plugin.min.js MD5: c65e3d48af19c32bdc45fff669e62048 SHA1: 146c52f4b7d57460be1797471c4ba102b3dd6ada SHA256:09c99ac2b89a7a30ca8d4892bfb24d38ebd5425ccae3e9b11ca928194ab8b36a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/layer/plugin.min.js MD5: 3828a4555da924b1e7a387b799a4e429 SHA1: bec469242bef5acedd8729b6a8161238d4015949 SHA256:53fd6853bcd687e326292c404a00b4a088672ea8122d896c7e19f89798cfc9f0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/legacyoutput/plugin.min.js MD5: 0c5c208d997854cac387df94d9d86250 SHA1: afc16b07074d50566643cf7eeaca3d6592e9f6f6 SHA256:10856e9c8df86168e6e85e2062a439fa5964d073a2aedcbe5a03f8193df6ee34 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/link/plugin.min.js MD5: 99f908cfad07c36e0c7bfedb651a60dc SHA1: 4b18374ef13a620a935a429ecaf6a932d951ccae SHA256:dc0027d88edda25a35c635a651b15d231cfc3aed326f3b15dcfa283b5cd57faa Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/lists/plugin.min.js MD5: 279a5b0bf93f8d81288dfbd117b6c77c SHA1: 6cf9310f71a8af782612f987c45070f7d4fb8896 SHA256:7ff40471acbae78157df0e7feba0f9a89cc6e193509a1280729fc2aeb562f103 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/media/plugin.min.js MD5: 54b12794da9f72eba7a1b7c742eef081 SHA1: 8bae182be0fbd80a1ad8f944ba3436580492a26c SHA256:9f5083ba1f9a2a3dd620785cf2888c29235776ab587791fa17cffff85ab5060d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/nonbreaking/plugin.min.js MD5: 57e70fea5eafa39e96baef5e3a161345 SHA1: 59884f75d3e2bc6c1f7ed7867004a998a92bfe7f SHA256:657a112a9941c4ea4e7c574b011797ac332dd8880b1f9a3a33b679e971448adb Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/noneditable/plugin.min.js MD5: 1a4898b56ff60e263e03365b230d0bff SHA1: 6962c443008dc0103823b3ccf62ac9c4a73626a6 SHA256:2a3e9fa3296494b594a9bfa948372372617ee59f9fc93ebb4a2a27dc57a3f76d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/pagebreak/plugin.min.js MD5: cb83a44a5067ea5772946b408d78199c SHA1: b28c2bb852de15457c66d34036b036061e0f6605 SHA256:0ee22700c2228ba9758ceacfb36cb662f39fc64b75f350127eb7bb727fca866b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/paste/plugin.min.js MD5: 720418167ced7d4e1633fb64ba3d390f SHA1: ef47b96c54156804e045519d932bc7058d37e710 SHA256:25683be105faf23cbdf34bbaae760476b5cb6061f360b54535ea171bc94ae79d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/preview/plugin.min.js MD5: 9d70ec722727adb76413e682f0a0e588 SHA1: e2b35b5f40d194af4d326d391c623941a1d29305 SHA256:3f62d78113afc6bd199b54066d2d38889da5bda29a3461fff44118f4d348873c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/print/plugin.min.js MD5: d770c768f972dd323698be2b5d45d242 SHA1: 85fc5187189aa345320868a0337227225dbabbdc SHA256:aed57bc6a4ed6f69e061f179f556b650c1e6535fee41dd3d76e36ddfceef1d25 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/save/plugin.min.js MD5: 76741aa64a8a9a7506a14f6798a74b83 SHA1: 8cfc8265389d878aa9c23c13b90085d942776fc4 SHA256:2f0be9b281e3104aad415d4eb44c1266aa48cfd348dc5933b7361115d2e68013 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/searchreplace/plugin.min.js MD5: a3c4107374750dd57e7ddff0c8eb5643 SHA1: 190d12f4c16bf37974ea15ae87a5bd26e205c583 SHA256:c9c61ebaf3ce296b169b87bafc8c417016293f57be2924476ee945c3411754a0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/spellchecker/plugin.min.js MD5: e744c036a839eb342af020318f4527d0 SHA1: 9b581fab93aa07d3595d5f3e93312098867c984c SHA256:553d9c89daff184092fd92062f9a4c986a24b769bdd59cdb8eee314420c1c6b6 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/tabfocus/plugin.min.js MD5: d810b096023695b38bf682f20774af98 SHA1: a1e6bda7027fe643c623dfa6a2e4990e3774a38f SHA256:d6c72e2b6645f20fb73a343805b48545cfb2215e29f849648f108b80d5564da1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/table/plugin.min.js MD5: 46c5423637545ce4655ff1844150396e SHA1: e10994719509c005a7efbf1c3b41e52d1400b8b2 SHA256:eed3c615c035e1f489d2db10c1365834bded334cfd37cbcd06d46cd105026ca0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/template/plugin.min.js MD5: c409f9fda82f973a1106a7b5878dd85e SHA1: 9e5764eb5d54b44ac41be65471ff80744117fe35 SHA256:20163b5311a6d86f6d993658e6bd3fbec2b1482b88aef023476f25a502bde88d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/textcolor/plugin.min.js MD5: 870511532b062a500c95ae81e1cf23d3 SHA1: ed05f53a990e8986b62f468d3e60a6486f038428 SHA256:aa4832d86f88f94f386b102c232eab5299525e0dccfd01c94d343ac531ad0a2d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/textpattern/plugin.min.js MD5: f3413b95cbfa2817c3de7b02e17743ca SHA1: 23a05dded8934205e5fee6e705172f5d624d8a22 SHA256:3baa5bc3db6aaddb2e975e52fb6d038089a32a100ee158538e7560a233fecf5b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/visualblocks/plugin.min.js MD5: 9799dd341c8ad1495fbb10532582e760 SHA1: e4dd01381493ad802c9c38b4a1c84347a3b3b51c SHA256:0a0f01b9607dd3e0acbde63e7716938e2e6a9471515241aecf2d17932b768029 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/visualchars/plugin.min.js MD5: 9eb7433cda51e164d170010f9a86ed4c SHA1: 51cf1ca5dc71b2255da1d65a83ffd3d16eec8f2b SHA256:3b52f69be85505a5b74a8b353ea4756e208dd31982fae99e8c69bbdfa10e8e64 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
plugin.min.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/wordcount/plugin.min.js MD5: e025cce6ea770be54ef578112d797ae4 SHA1: a6b1ad13d2a09422ed3e4d4555f6a0a04599df17 SHA256:6ec028a9884af7b0d66343b2b727c689e4d9f529d9ad844c18ff178ee5d547bf Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
poi-3.12.jar
Description:
Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/poi/poi/3.12/poi-3.12.jar MD5: c22098095e289dd8546d1565bc1a4c7d SHA1: 8be19a6a1fa08e934a497929f360111a4d2e5115 SHA256:aef9a5c3895c7fa05d8f72f477d817d3c2a11c8f4760c3d0951b86a7eb07f151 Referenced In Project/Scope: OpenKM Web Application:compile poi-3.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-611 Improper Restriction of XML External Entity Reference
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE-611 Improper Restriction of XML External Entity Reference
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/properties/properties.js MD5: b6b9faca9403e53b22a5aec3589a68f7 SHA1: 4c62b883d74a39200f50f9755788b4c656520b86 SHA256:cdeae6311b8b19564068b8ae89611efb9f43c3214e9442c40ab4830cf377c2b6 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
pt_BR.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/pt_BR.js MD5: fb06e7e3dba8251c0a5200f3df9609bc SHA1: 8ab2fd8e3732076af727c0fa03fd3f76add9bf4a SHA256:b047a8837b0baf3bed867a454d456df91690c0e29471ee1d8a944bedf9a2dabe Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
pt_PT.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/pt_PT.js MD5: 7e9ad8632be098ad4613d77aaff6bcb7 SHA1: 6e91045750da0ea9928bdd8924e550666644a402 SHA256:a8932c385742f61a140024f0f3e44ac3ce55cdae26a097d8f94307adb3f6799f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
puppet.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/puppet/puppet.js MD5: 3c395b7fa1c9ade1ab76ca43ff4047ec SHA1: 2db63a187ebc432570e699a1021f12cf00baf712 SHA256:c572b4722a9e31a83015fd2c052d46f943cfa7a01ba8d799e01f0ecaf654df19 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
python-hint.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/python-hint.js MD5: ba8376020ec5868f56a94034bf396726 SHA1: 318baee188b04a86d449294cea67ec3ac0dd01df SHA256:1cd8893740f6995dfa58f05f14dde2a4cff6998ab331a299a9a5250718687eed Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
python.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/python/python.js MD5: 276c05bde8d7b945784374d8ee17964d SHA1: 027e8f8b63df70b3bcf7d1092c087448ba51938a SHA256:54468761ce3feb2a1c8729016a0e3ed0f7f0f7b917242549599f39048c5f5852 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
q.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/q/q.js MD5: eb0cb3d3d54bc05313f2b1241e1fa8a3 SHA1: 07bf08f16c1176ffd0ae0e50ff32dd4bf98fabbb SHA256:624c14ffcf3046191897869b34d1e6e15a8495870f88da0d4cd664663db23ede Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
r.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/r/r.js MD5: 939945c81b626959a12ccd25ac2c7839 SHA1: 3c570dfe382af5d893da9ce4aa33878a1ef2668a SHA256:fcd8e30c9ee6bb0e284e456dc6e5bab5f26f7c49d9078b67e8918b74b95834d7 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
reflections-0.9.11.jar
Description:
Reflections - a Java runtime metadata analysis
License:
WTFPL: http://www.wtfpl.net/
The New BSD License: http://www.opensource.org/licenses/bsd-license.html
File Path: /home/vaclav/.m2/repository/org/reflections/reflections/0.9.11/reflections-0.9.11.jar MD5: aca303b243a6c2225685b992ceea1cb3 SHA1: 4c686033d918ec1727e329b7222fcb020152e32b SHA256:cca88428f8a8919df885105833d45ff07bd26f985f96ee55690551216b58b4a1 Referenced In Project/Scope: OpenKM Web Application:compile reflections-0.9.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/sun/org/apache/xml/internal/resolver/20050927/resolver-20050927.jar MD5: 96d75a90d89ff0cb6b96282171a212de SHA1: ee4db4a5f15cbdb453808c2839f08240ac231e46 SHA256:4abbc5d52aab572ad70f83554ba366e983412e57f527af95fd19758503a03f3c Referenced In Project/Scope: OpenKM Web Application:compile resolver-20050927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ro.js MD5: 365a69437f9b98d77937abdcbcf419e5 SHA1: 6f1765a899584e2243a49a4ccf78b7a83a8e2d63 SHA256:9b7cb91392c19b8deb8c6f989a8299d2205f480e7577ac5e83d88cef6dbe8d51 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
rome-1.0.jar
Description:
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
File Path: /home/vaclav/.m2/repository/rome/rome/1.0/rome-1.0.jar MD5: 53d38c030287b939f4e6d745ba1269a7 SHA1: 022b33347f315833e9348cec2751af1a5d5656e4 SHA256:cd2cfd3b4e2af9eb8fb09d6a2384328e5b9cf1138bccaf7e31f971e5f7678c6c Referenced In Project/Scope: OpenKM Web Application:compile rome-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/.m2/repository/com/sun/xml/messaging/saaj/saaj-impl/1.5.3/saaj-impl-1.5.3.jar MD5: 9c3bd20b7350f99f18f8c38fbed90199 SHA1: 1cd4aa51ea7a8987fe930083e3cd05e2ac72505b SHA256:21d451aa7dbe1254388ecc4e5ea71aabbc519c7d7344c9d93e9f79954f38b32b Referenced In Project/Scope: OpenKM Web Application:compile saaj-impl-1.5.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
The W3C Software License: http://www.w3.org/Consortium/Legal/copyright-software-19980720
File Path: /home/vaclav/.m2/repository/org/w3c/css/sac/1.3/sac-1.3.jar MD5: eb04fa63fc70c722f2b8ec156166343b SHA1: cdb2dcb4e22b83d6b32b93095f644c3462739e82 SHA256:003785669f921aafe4f137468dd20a01a36111e94fd7449f26c16e7924d82d23 Referenced In Project/Scope: OpenKM Web Application:provided sac-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sass/sass.js MD5: a4fec0d19cba2db69f65778b400ddd6b SHA1: 08e096a050212bdf8c0e05d3d67197f38a7d8b07 SHA256:f569850da80733a07e503a19e9221c22c1ef02f6c298cf8e524e2f2e92a4b26a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
scheme.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/scheme/scheme.js MD5: 69d29be2eb14c3d9ed525516b8068e78 SHA1: 4628e1327b7c163b0f5985cb957d5bfaf78be750 SHA256:e377dbc04ab9d98f449d06f11c434efab5bae2b4f22d152c2f77764eef98ba55 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
scrollpastend.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/scroll/scrollpastend.js MD5: ba2b499d177929af53c8f5600251ae50 SHA1: 144046bda8a08cc0aa0f2918a86af037c3767757 SHA256:2dc75eb57818f1b5aea5672bc85b3bc62147b13165a9802004af2eb4dba2e910 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
scss_test.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/css/scss_test.js MD5: 5cb6aecad7b9e26ba606e63bbd9df239 SHA1: 6d044d19fb0be7556f3a6f359c59dbee614f1f51 SHA256:55787a681d4d9e1621316a15d840b4258a0c151ccd1506f8e1ee98e5fb883dea Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
search.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/search/search.js MD5: ac824839f0d07d89bd1dd411b1c0edec SHA1: 2d3c929d6e9082d8327e898e0cf599b88ca130e3 SHA256:5432950dd8c3a2a65780be3f226cfac6b63b228079dc18c7eeb1783431ac9276 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
searchcursor.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/search/searchcursor.js MD5: e25169181322c4462986f7aacb99be52 SHA1: 40be9c0cbab66404c699af1337576ce277854f23 SHA256:3cb7861643258fce7b48e5dfc43977ad4b4151fabbd3c75a4ec4680936517f7f Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
serializer-2.7.1.jar
Description:
Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
SAX events.
File Path: /home/vaclav/.m2/repository/xalan/serializer/2.7.1/serializer-2.7.1.jar MD5: a6b64dfe58229bdd810263fa0cc54cff SHA1: 4b4b18df434451249bb65a63f2fb69e215a6a020 SHA256:a15078d243d4a20b6b4e8ae2f61ed4655e352054e121aada6f7441f1ed445a3c Referenced In Project/Scope: OpenKM Web Application:compile serializer-2.7.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
serializer
High
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
serializer
Highest
Vendor
jar
package name
xml
Highest
Vendor
manifest: org/apache/xml/serializer/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xml/serializer/utils/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
artifactid
serializer
Highest
Vendor
pom
artifactid
serializer
Low
Vendor
pom
groupid
xalan
Highest
Vendor
pom
name
Xalan Java Serializer
High
Vendor
pom
parent-artifactid
apache
Low
Vendor
pom
parent-groupid
org.apache
Medium
Vendor
pom
url
http://xml.apache.org/xalan-j/
Highest
Product
file
name
serializer
High
Product
jar
package name
apache
Highest
Product
jar
package name
serializer
Highest
Product
jar
package name
utils
Highest
Product
jar
package name
xml
Highest
Product
manifest: org/apache/xml/serializer/
Implementation-Title
org.apache.xml.serializer
Medium
Product
manifest: org/apache/xml/serializer/
Specification-Title
XSL Transformations (XSLT), at http://www.w3.org/TR/xslt
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
CWE-264 Permissions, Privileges, and Access Controls
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types
File Path: /home/vaclav/.m2/repository/org/mortbay/jetty/servlet-api/2.5-20081211/servlet-api-2.5-20081211.jar MD5: 083898d794cc261853922ca941aee390 SHA1: 22bff70037e1e6fa7e6413149489552ee2064702 SHA256:068756096996fe00f604ac3b6672d6f663dc777ea4a83056e240d0456e77e472 Referenced In Project/Scope: OpenKM Web Application:compile servlet-api-2.5-20081211.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/tomcat/servlet-api/6.0.36/servlet-api-6.0.36.jar MD5: eef090b55ae1b68bf98b1e52fe98f53f SHA1: d52df1c140619ab68ec2e3162b7e2e0fdb248d2b SHA256:70887f84a95936fd41da7f3feb2bec2f999ef87fdcf15851c56969648643c02c Referenced In Project/Scope: OpenKM Web Application:compile servlet-api-6.0.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.ettrema/milton-servlet@1.8.1.4
Description: Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
Required Action: Apply updates per vendor instructions.
Due Date: 2023-06-02
Notes: https://tomcat.apache.org/security-9.html
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
CWE-94 Improper Control of Generation of Code ('Code Injection')
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-264 Permissions, Privileges, and Access Controls
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
CWE-264 Permissions, Privileges, and Access Controls
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shAutoloader.js MD5: a122e7137e224f646b22b910a779d211 SHA1: 5622d674a99d6052829893851dcee1c9b0c7af26 SHA256:0841295a7e23dabc77c6deb5dc0d10e89a81db34c125f5c4acaffbd2ded3ebde Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushAS3.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushAS3.js MD5: 442d259478af459cb198f1c7920cd6bf SHA1: 2e4aa2b0ba7c211a461f4178831af47f0e0613ae SHA256:9871cb70f85eee26668f7400c5efec0245311529c0ba0be27a31d535b39e9a8c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushAppleScript.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushAppleScript.js MD5: 74a77dcec7dd7bd0c996c312d10569bc SHA1: 4c032070be424731d1fcf15d5f14c5ad50aba9e2 SHA256:e910d375025acb7942dd2a1afc0cad373d424a37610876636ef6bdccc5615c29 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushBash.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushBash.js MD5: 2d78054b479066ae1555e9c3ff2982e8 SHA1: 531024ca0b9decf816ea4c1edb65ac732bd445ab SHA256:4819e4b43b2b58bff731cf248d1014ab89250ad347fd0529c246385865e54974 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushCSharp.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushCSharp.js MD5: b280eea611e5ed28f08ea552b59dfef0 SHA1: bad1e3c00e03fc7475a7b92012d8c39488a94ab1 SHA256:df44c6cbb3944b3bfaac20e2666af037613853bef6a242dc2ede1fc8efdf63cc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushColdFusion.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushColdFusion.js MD5: 915874e18d8380902cb7eca143fcee13 SHA1: e03bf93a134747499000f2d8f26b0ed7b44f586c SHA256:15b8bafb748aeaf8932635e5935b6b3f6ba6ee740cabf624d2d8f10594fed769 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushCpp.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushCpp.js MD5: f88b763be0c3069581db71bae6025bd8 SHA1: eeaff35a98cf75421b4d2afe46aa631c6f89fd0b SHA256:a049c1d9058f34156daa5dbab591f5bee61161ebee3fc2fef081bfba1c244e1b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushCss.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushCss.js MD5: a07a03d9b8a586105267106ed629339e SHA1: dc14023bd87bc94ec6cb1f4f1b3570466bb6394f SHA256:d3c494b68b64e24bdc66748471fe73d49f0d5402e02029fd6acad00e1a1bd5b8 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushDelphi.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushDelphi.js MD5: 29db1af76facf2deb013621981c43ab7 SHA1: f8e8c79b6ca3f9cf02befacdd7f5442e5e6f4cdf SHA256:8ef1e291eec72ca3fff0921378c3a0d460d340b7c31704d3ab9d13d984b71296 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushDiff.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushDiff.js MD5: 2e12da4b8224909fc0b92131bb04fb7e SHA1: d4b02ef15a3a349e5a203ec5b5e96e797c0706b5 SHA256:97f595d1bf336cea21f7caff224238fd1dc9e98f8d4608eb4e742c58e447ed14 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushErlang.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushErlang.js MD5: 112da02c9c7c83494f3764540aec6cdd SHA1: 0821ca2cd71c32e2a1a1ae1456ba8463fb6fc85b SHA256:89fb5ef0ebb288764850672bc58c5782639a2085bfb140c313d7de8ab2bf6d66 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushGroovy.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushGroovy.js MD5: 9c6ede0ba21cb804301e156e2b4fd03c SHA1: d315b9dbbd39a8a97d1acc9f80cbef916a45839d SHA256:14bbddd8b6c3bb08ecc293fed7d5941ef31a1f837f795a75687e7e5cc1cfea47 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushJScript.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushJScript.js MD5: cdae918e2156986f76ada6d301c45f27 SHA1: 7c8b34f14f4caf9cf2b6ac3315f7bacd95d69e3c SHA256:3f534a9cb3030831626f875de5e69f72e1cc020db2761b6ac8a0186ef4fff512 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushJava.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushJava.js MD5: c374a5018773714f971543dc273fceed SHA1: 5a1f33a6004f44f9c9e60b867555b88b77424833 SHA256:29c5f3b4457780a50847804a17dc6906b11f5dc0ecc78f943d7a488690277cf3 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushJavaFX.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushJavaFX.js MD5: 0afafd1298c5870e7f3bf8ab761ccb6e SHA1: 97937a8230c34d7c4fa58fb945ae5b4ed7fa9b47 SHA256:15367145380ec842cc7f9ac4ee51ca3157b2c19062e5a1f7b625b6d6c2778a68 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushPerl.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPerl.js MD5: b5300568d34b9182117922e8fc7c540a SHA1: b7c5eb10c7ec0e8d120bd4c5ab58f51c9b3791f7 SHA256:d1c7ec6f223e7b7541ab70c5486540f3bfa7b34ebda896f131847a12ff6c73ac Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushPhp.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPhp.js MD5: 0a52933147cb95e4860a81c6c86863f8 SHA1: 222f0605fe9de44d8daef71d8fc94f4b3e72e398 SHA256:eeb0f65854972899fc99b17cf25ea68831cfb238e1e41654135c69b8a6f9fd99 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushPlain.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPlain.js MD5: 87fdca14e9886310a4e4b3ceb429c7f8 SHA1: 8c41e3dc03b9a9d7d5cdeded987d7695974cd797 SHA256:4916a1324a99bcafb7b7e8b333d9b1fa37c427950bb0411d38baac12846c17ad Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushPowerShell.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPowerShell.js MD5: 3939e2b31f99d06960e56b24697773fd SHA1: c93b138058748015f3e4fc1de90dc5d698819c0e SHA256:3705039e346c2f75e0f0e8a2c56e8a08ac290def3baa82da68c33263ec7e4d23 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushPython.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPython.js MD5: 734fbf7c3eb377282d42c6ea110b1ef1 SHA1: c3771aed486b7f9694536956979fb422a87e6d29 SHA256:8ec5a39b87d75a7a2967fc06474337c15a9ca1978ec4a8843818fc24897e6475 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushRuby.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushRuby.js MD5: 8da67ffc8de2d75073fc6b31d9af78f9 SHA1: d75c56b563630b02073653c76ab1e3ca8a4e3f08 SHA256:85b5c4f0308c8cd394ae84182ed4e60ba70c77d43423895641c8555e10b5a839 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushSass.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushSass.js MD5: ebb4bef932492672be74fd925513fc9a SHA1: eb59ec77896569d73264519ce7eada71a9fee838 SHA256:0967b3d04a276ae4b656f36714cf28c0f691c3f5c2dd6d36eb2f1fbaf0f714cc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushScala.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushScala.js MD5: ec43414a7d9f971e1b6e3b7bdc4d75b6 SHA1: 8f909fa1a7da297ff16277a596444b8551d33252 SHA256:575d4786edd00d96154cd1b36a7fb19eaa6a1bec780b64c73060855882630ee5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushSql.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushSql.js MD5: 3de8eb19c0c7a60c1c3e0680c18709ab SHA1: e1dcf432958657122e61dce037ab98db1ba0118d SHA256:83796b8fe75cbbdbb444119072f952caa0acf11fb0f9879ec9994da31567de68 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushVb.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushVb.js MD5: bb8a98a95fabbd96b6c94582716c57cd SHA1: ff215086fc178bbe8913193494b2f94d73b6d46f SHA256:dc7ad24d7c13335b46b25572c11e1e0238069d54900638d884a53c44d37be5b2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shBrushXml.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushXml.js MD5: ba290ac0111d2c3f8e1ce36fbaf6a239 SHA1: 311b19458f80720e59522be044709aa5c78adff1 SHA256:fb1fe49a904a4fda3ed82d2f88048b2ae88c217980b6bf2163c07f048663b43e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shCore.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shCore.js MD5: 488ca2f56c37f84283fc9be63219304f SHA1: bd9599773965e9c84565abc2e6acdaa92ad6e83f SHA256:584a26f39cef2db245f41d4f6b8e3d0f7dfac5c06f0f454a49dfb94f6fb1517b Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shLegacy.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shLegacy.js MD5: b37bc74a8cdb69d5e11e02e9b989189d SHA1: afd7575a7482d3505613d2dbef721a30459b98c5 SHA256:7d02302bbb9594600c23c2b73fda9bb95ce35e0bdcb9c9d90c87f48ebbe41d33 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
shell.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/shell/shell.js MD5: 8a7a29611124bbaeaaa409f09a5d9e50 SHA1: 7c94042d4f62228f444518c8cb0a9159978ffe01 SHA256:f74cc7f7aecedc934ac164cc404d36422cf35864fc775b342ca260c5354bc5cb Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
show-hint.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/show-hint.js MD5: ea510962117eb297d093dd47e8ce7407 SHA1: 04fb567177c2914c747164e25d79fb9d07a8850d SHA256:fbe338941f71e9841502934fcb898d715f9f7cc75b7782bada17288cb3292f5a Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
si_LK.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/si_LK.js MD5: 893cc57b6a5aacdcb1071cc6cf5ea98e SHA1: ae79f533a8528590226817046592aef4ee767b67 SHA256:38e7be5e98e472e39787bab3da77482c0d26a2d4c43cd378696ec13e0df8edca Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
sieve.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sieve/sieve.js MD5: 26435b472bd68964d42a86b0ca5fa912 SHA1: bcf65527019aa7009551079138a18570f26cba39 SHA256:b42e0d4e32e5c3b9240210f64c7ea0f82df3d7b2dd1d81b5696807487fe47b25 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
sigar-1.6.5.132-6.jar
Description:
SIGAR (System Information Gatherer and Reporter) is a cross-platform, cross-language library and command-line tool for accessing operating system and hardware level information in Java, Perl, Ruby, Python, Erlang, PHP and C#.
License:
Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/hyperic/sigar/1.6.5.132-6/sigar-1.6.5.132-6.jar MD5: 91197aafc9b6473401ff8e67c46ebc3d SHA1: ad0bd6185f6303d376ffb51433089408bd90921e SHA256:632db274a8d7eba32e874c9d28fcc5591ad1583216ce0526adea6a49bc480876 Referenced In Project/Scope: OpenKM Web Application:compile sigar-1.6.5.132-6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sk.js MD5: a3fb86a79696e9a3db3e5567530bb321 SHA1: 3c13743eab359deca4bcbb701f10114b4cf77194 SHA256:248c64be63a2c2dab81f9fa726152f5d5e26f4f4f550c90563df4f1fd588ba8d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
sl_SI.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sl_SI.js MD5: 8f56e0298a498ab31084f3a36f8bb8b6 SHA1: 88f92095cc2a0d899dbf90efc8a3dcd508caf40c SHA256:781be1c1571ddd307ea8f1a4130737262da315710e552d755c8387f1f0019a1e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
slf4j-api-1.7.7.jar
Description:
The slf4j API
File Path: /home/vaclav/.m2/repository/org/slf4j/slf4j-api/1.7.7/slf4j-api-1.7.7.jar MD5: ca4280bf93d64367723ae5c8d42dd0b9 SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311 SHA256:69980c038ca1b131926561591617d9c25fabfc7b29828af91597ca8570cf35fe Referenced In Project/Scope: OpenKM Web Application:compile slf4j-api-1.7.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/ch.qos.logback/logback-classic@1.1.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/smalltalk/smalltalk.js MD5: 50009d72a5443ddc20095206ed14496c SHA1: 77d3f5ad6311ddcf2abf23afbb1ff899131fa463 SHA256:87cbf5f50356db0fc7cbd7f6462b88b39e0b550fcdd1991e98142fbf9ebc59dc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
smarty.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/smarty/smarty.js MD5: 24c5bdcad151a30c277c7b340687a879 SHA1: b56e542931d973dad8c4b702683ebd72787ed931 SHA256:ebeb1f048eb2abeaf10a541839988ea3ed38b31ee32326500f478cbd862f09e1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
smartymixed.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/smartymixed/smartymixed.js MD5: 911149271518e4a2f6e98aa91f0894d4 SHA1: 8fd8885433efd6a3f1b99f01135a3dec9bab14fa SHA256:20f176450153390d9ca38067bd58e1c7cb0f69b7a88239139cab5414d6153597 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
snakeyaml-2.2.jar
Description:
YAML 1.1 parser and emitter for Java
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/yaml/snakeyaml/2.2/snakeyaml-2.2.jar MD5: d78aacf5f2de5b52f1a327470efd1ad7 SHA1: 3af797a25458550a16bf89acc8e4ab2b7f2bfce0 SHA256:1467931448a0817696ae2805b7b8b20bfb082652bf9c4efaed528930dc49389b Referenced In Project/Scope: OpenKM Web Application:compile snakeyaml-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
File Path: /home/vaclav/.m2/repository/org/apache/solr/solr-core/3.1.0/solr-core-3.1.0.jar MD5: 381e3a1089b35160415144f3a2a1e65c SHA1: f11ea0c9f359a4ec48dd734595ae5e949b287692 SHA256:bc371866b4d2ff1bf45a0bb3b0f5a432c707b566584311fc9a932fa66dfebc3b Referenced In Project/Scope: OpenKM Web Application:compile solr-core-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation, CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
CWE-611 Improper Restriction of XML External Entity Reference
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it���s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Description: The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-06-10
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/solr/solr.js MD5: 7ec868603bab2f2f633f1cffb6af0757 SHA1: 78e5cf94fcd21e558edeb96e44001f2d941beb47 SHA256:8a84502fb860a6a1656b9d9d0747e5462abfef8029725455addd4ab68068f3dc Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
sparql.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sparql/sparql.js MD5: 5ad2b666cf4cda3808bc14586cd32330 SHA1: e167460275abad609a02bd7b3c92bc15cb8d53fa SHA256:46a77a63732eae732a798e8d64934e81f8e5661406cb80798c80ab5465c5c105 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
spring-core-3.2.18.RELEASE.jar
Description:
Spring Core
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/spring-core/3.2.18.RELEASE/spring-core-3.2.18.RELEASE.jar MD5: 635537b54653d8155b107630ae41599e SHA1: 0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd SHA256:5c7ab868509a6b1214ebe557bfcf489cfac6e1ae4c4a39181b0fe66621fbe32e Referenced In Project/Scope: OpenKM Web Application:compile spring-core-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/spring-expression/3.2.18.RELEASE/spring-expression-3.2.18.RELEASE.jar MD5: 7e5fbe8696a4e71dc310c1ff9f8286e1 SHA1: 070c1fb9f2111601193e01a8d0c3ccbca1bf3706 SHA256:cde7eda6cc2270ab726f963aeb546c3f4db76746c661c247fbfb5d2a4d2f4411 Referenced In Project/Scope: OpenKM Web Application:compile spring-expression-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework/spring-context@3.2.18.RELEASE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/ldap/spring-ldap-core/1.3.2.RELEASE/spring-ldap-core-1.3.2.RELEASE.jar MD5: 22fd2c2a902ebd78c66a19cfdadd649d SHA1: cae848fe4280fef46bad5a7bad2fe4404f8bd442 SHA256:5a65f2e31546435bdb6171027cd3e8448447bbc97e86a057645241905700e109 Referenced In Project/Scope: OpenKM Web Application:compile spring-ldap-core-1.3.2.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-ldap@3.2.10.RELEASE
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/spring-oxm/3.2.4.RELEASE/spring-oxm-3.2.4.RELEASE.jar MD5: 2abb980787ce24a67a9496172cef65cf SHA1: 1de9e0537d7ea233668540577e72d86ff6df6d8b SHA256:fc259b1b0946c862527c5714dca66f6e884ce8249b35d146bed0fa66d553b1e8 Referenced In Project/Scope: OpenKM Web Application:compile spring-oxm-3.2.4.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
CWE-552 Files or Directories Accessible to External Parties
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
CWE-611 Improper Restriction of XML External Entity Reference
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
CWE-611 Improper Restriction of XML External Entity Reference, CWE-352 Cross-Site Request Forgery (CSRF)
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-acl/3.2.10.RELEASE/spring-security-acl-3.2.10.RELEASE.jar MD5: f87a9ef5d7952bc6f8096b3223d67e19 SHA1: 0417714b1b6c7f11cb6c2a5ee4c3738d43353928 SHA256:7916014dbd3c61585d92aeb14e4c74584c60b7858bfb8e63b2af4560d1955315 Referenced In Project/Scope: OpenKM Web Application:compile spring-security-acl-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-taglibs@3.2.10.RELEASE
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-config/3.2.10.RELEASE/spring-security-config-3.2.10.RELEASE.jar MD5: 8c8534526c1ed31e3cdc65523e782e3c SHA1: c8c9c742067d5a4879bf8db289cb48b60262056a SHA256:f8849bb9e245423924ccdaee6693d497f1b4d2dd2069e7695d4fdd2b82a2f5b3 Referenced In Project/Scope: OpenKM Web Application:compile spring-security-config-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-core/3.2.10.RELEASE/spring-security-core-3.2.10.RELEASE.jar MD5: 86427a3f1e565f975b48cb8b9be4649d SHA1: e8018fab2ada266288d1db83cc4e452de1e2ed1c SHA256:10443ef19e3cbe2b82197983d7fa0dec5bebd40dc3ca2c0cf02864359cdc2c93 Referenced In Project/Scope: OpenKM Web Application:compile spring-security-core-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-3795 for details
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-ldap/3.2.10.RELEASE/spring-security-ldap-3.2.10.RELEASE.jar MD5: ec497189a708a0c52fbfb1c9056d65c6 SHA1: 22450c3c3897ed7c06b98d3ac5bdac5e01b31574 SHA256:948a3476aa3d758fd4c54cd0ef17a5e2297c02d0438033008e82c2a9bd1014cc Referenced In Project/Scope: OpenKM Web Application:compile spring-security-ldap-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-web/3.2.10.RELEASE/spring-security-web-3.2.10.RELEASE.jar MD5: 22b94b4f676727805952091f92cd60f5 SHA1: b925996ca5a7310e3315705cd2b69a15214ee3e1 SHA256:84b59931956693916e744977cec02db88fcd17eb11f47081d46b7fdc5196b1dd Referenced In Project/Scope: OpenKM Web Application:compile spring-security-web-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/spring-web/3.2.18.RELEASE/spring-web-3.2.18.RELEASE.jar MD5: c3435c31fea5f1e479b4bb5eba32133d SHA1: bc0bdade0a7a52b8fae88e1febc8479383a2acad SHA256:0aa220d3703eaf6eff670423978566a2af506fb9ea8bb728fa05bb16bdc74e9c Referenced In Project/Scope: OpenKM Web Application:compile spring-web-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22243 for details
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/springframework/spring-webmvc/3.2.18.RELEASE/spring-webmvc-3.2.18.RELEASE.jar MD5: 2cb8a9569b95a76a0485d71c913c1819 SHA1: 60e5bb3dc9cb83d6cc53628082ec89a57d4832b2 SHA256:effcce98fd4e9fa95c9a53e49db801f1e2d011ee6dcbb7a7eb1a3ca3bcb2cfd5 Referenced In Project/Scope: OpenKM Web Application:compile spring-webmvc-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
File Path: /home/vaclav/.m2/repository/org/springframework/ws/spring-ws-core/2.1.4.RELEASE/spring-ws-core-2.1.4.RELEASE.jar MD5: 3af5370615b2816ef898934d4d666039 SHA1: 136d082e0aa7f43edee019f0779a2555b1c72fd4 SHA256:8782c0b394ada40448ad5ace1914f4a88d3ebe79c92fa79bd3d816fd86222365 Referenced In Project/Scope: OpenKM Web Application:compile spring-ws-core-2.1.4.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/sql-hint.js MD5: 4c27642784664b7e0484a11ad2850c57 SHA1: bebb61496040c046540ebbb17861158fb670c10d SHA256:b97d977c167f2db5efdb7be83ec0ec5ef01f7e0f35908739f16d7e3e4490188d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
sql.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sql/sql.js MD5: 6c04b6e6e12f8bb8eead7bf853e66d32 SHA1: c1a2166061b0a68a73e08efec88831bdd6e89203 SHA256:1f78817f680b3ebbe726d2d48f4a094d1bc5d41d4066355bef9261208a6b3fd2 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
sr.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sr.js MD5: ce0b00505e20ce27858859ae6cd28406 SHA1: 6aef42af49cc2866368503fcaaa97e32146e5a0b SHA256:803da84204c0bb0348a76c50b317b42d8637604ccfd67fc6b6c6cd77bee32280 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
stax-1.2.0.jar
Description:
StAX is the reference implementation of the StAX API
File Path: /home/vaclav/.m2/repository/stax/stax/1.2.0/stax-1.2.0.jar MD5: aa3439d235f7d999532b66bac56c1f87 SHA1: c434800de5e4bbe1822805be5fb1c32d6834f830 SHA256:df6905a047b05e23bc91f03ba57ac2f87c1ddf83e048aa0e5bd13169d5ebf0d9 Referenced In Project/Scope: OpenKM Web Application:compile stax-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /home/vaclav/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar MD5: 7d18b63063580284c3f5734081fdc99f SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7 Referenced In Project/Scope: OpenKM Web Application:compile stax-api-1.0-2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASE
StAX API is the standard java XML processing API defined by JSR-173
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar MD5: 7d436a53c64490bee564c576babb36b4 SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70 SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e Referenced In Project/Scope: OpenKM Web Application:compile stax-api-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.codehaus.jettison/jettison@1.3.5
Dual license consisting of the CDDL v1.1 and GPL v2
: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: /home/vaclav/.m2/repository/org/jvnet/staxex/stax-ex/1.8/stax-ex-1.8.jar MD5: a0ebfdbc6b5a34b174a1d1f732d1bdda SHA1: 8cc35f73da321c29973191f2cf143d29d26a1df7 SHA256:95b05d9590af4154c6513b9c5dc1fb2e55b539972ba0a9ef28e9a0c01d83ad77 Referenced In Project/Scope: OpenKM Web Application:compile stax-ex-1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1
Stax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD 2-Clause License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/vaclav/.m2/repository/org/codehaus/woodstox/stax2-api/4.2.2/stax2-api-4.2.2.jar MD5: 6949cace015c0f408f0b846e3735d301 SHA1: b0d746cadea928e5264f2ea294ea9a1bf815bbde SHA256:a61c48d553efad78bc01fffc4ac528bebbae64cbaec170b2a5e39cf61eb51abe Referenced In Project/Scope: OpenKM Web Application:compile stax2-api-4.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/stex/stex.js MD5: dab06b4adb721265eeee8b0cd31e7664 SHA1: ad3bbc4f462be3ef59ddc64d0c42894d526bfecd SHA256:0394d8791bb2b0fcc1fc2de82780721b454a7ba3b8f63002d44327cc5b940459 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
streambuffer-0.9.jar
File Path: /home/vaclav/.m2/repository/com/sun/xml/stream/buffer/streambuffer/0.9/streambuffer-0.9.jar MD5: f81bbfa225d404afde803263905158ff SHA1: f4b8b8575fcc558768df76658192f3c0202ca22a SHA256:1bcfb2072318cb160ab9ffe32330811154e9a2de1be634626cf2b6e6ab4d0868 Referenced In Project/Scope: OpenKM Web Application:compile streambuffer-0.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html
File Path: /home/vaclav/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar MD5: b58ca53e518a92a1991eb63b61917582 SHA1: 59ec8083721eae215c6f3caee944c410d2be34de SHA256:f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7 Referenced In Project/Scope: OpenKM Web Application:compile stringtemplate-3.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
File Path: /home/vaclav/.m2/repository/io/swagger/swagger-annotations/1.6.13/swagger-annotations-1.6.13.jar MD5: 67a797eb36546cf3858a710f1b1b1163 SHA1: 4bab0f7b1bc57f4a9695831be533f9b73d97512a SHA256:9c1a82f5552595ce8f47cafd8e7999639fef4c18d6c2e922586339cc5e3408ac Referenced In Project/Scope: OpenKM Web Application:compile swagger-annotations-1.6.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
File Path: /home/vaclav/.m2/repository/io/swagger/swagger-core/1.6.13/swagger-core-1.6.13.jar MD5: 363d1e57c525e6f25a78ebfb8c97a76d SHA1: d8fc8dbb0f8d005c236c57d65a361f1adaabb536 SHA256:81e6573e6aebf844af87ac7358880f61bd5578fa24ed8215ba442cd2a66fd59b Referenced In Project/Scope: OpenKM Web Application:compile swagger-core-1.6.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
File Path: /home/vaclav/.m2/repository/io/swagger/swagger-jaxrs/1.6.13/swagger-jaxrs-1.6.13.jar MD5: b20a53a4166ba2accdc8e8ed3d6097fd SHA1: 7829f16962e57429db1c6b0d31da263cc3d58242 SHA256:e95d824b1d5e270e67cc18855dbd8950aaa379feaf0b0ddfb7d86d67b45d7788 Referenced In Project/Scope: OpenKM Web Application:compile swagger-jaxrs-1.6.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
File Path: /home/vaclav/.m2/repository/io/swagger/swagger-models/1.6.13/swagger-models-1.6.13.jar MD5: 00b7b4b1e3c2ab8f0d437d0ebbb306cb SHA1: e7cfcd5f6cb57c8e8aabefc85585edec2098472b SHA256:3ab8d998a28ec0fa77e75f5c3fa4426eb8fe1227370bfd16bb22fdf932fc5fbd Referenced In Project/Scope: OpenKM Web Application:compile swagger-models-1.6.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.6.3
File Path: /home/vaclav/.m2/repository/org/webjars/swagger-ui/3.17.6/swagger-ui-3.17.6.jar MD5: 46ca7ee57bac0ab09c2e194c0f9b0b9c SHA1: aa6e8134f67aea65a701823fc2b3a5dfe88344c8 SHA256:13d49d26d86a2b3151f1abf81f8a7686fb60e3c23b46651a9f2caf313f15d2af Referenced In Project/Scope: OpenKM Web Application:compile swagger-ui-3.17.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-17495 for details
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
File Path: /home/vaclav/.m2/repository/net/homeip/yusuke/twitter4j/2.0.10/twitter4j-2.0.10.jar MD5: 49730f953d7be7079b72e2ab636b37a9 SHA1: c8b34e93f444f1f022c06da64ddc66c0ab881e70 SHA256:3145370dc0efa152a8c4a7ec7ecd8ae1a16c03656079a7d2c2ef67b24135a89c Referenced In Project/Scope: OpenKM Web Application:compile twitter4j-2.0.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
TXW is a library that allows you to write XML documents.
File Path: /home/vaclav/.m2/repository/org/glassfish/jaxb/txw2/2.3.1/txw2-2.3.1.jar MD5: 0fed730907ba86376ef392ee7eb42d5f SHA1: a09d2c48d3285f206fafbffe0e50619284e92126 SHA256:34975dde1c6920f1a39791142235689bc3cd357e24d05edd8ff93b885bd68d60 Referenced In Project/Scope: OpenKM Web Application:runtime txw2-2.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ug.js MD5: 0108df06dde4b58814709af674bfa67d SHA1: 0e196a1a53b381c59a5e317262c4dc79b876a259 SHA256:dbeeb13b041482f07b4d1b7014435af6b2046dc88752ace9cc4584706015e4a1 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
uk.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/uk.js MD5: 5fc8070397b336aa1239d6b9e5238257 SHA1: c7c2e58c532c75655b75ee53042419fda85dff65 SHA256:4c82f649c3df27cd173b5feceaa1f8c9840967839310997d60a6bf82d3b4b905 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
uk_UA.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/uk_UA.js MD5: d0a387daa4de64a411dd2a9605a3806f SHA1: 1ef75e9fbdf48a9fc4a71b800ff8ff7fe3dad109 SHA256:dc4ee9cdec7ad4da405d95affc26059d823704bf83f2906b8ac115e28c6a447e Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
utils.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/utils.js MD5: 5f9453e89d67ce3b66c3e1c2569b3173 SHA1: 61436afead7ed4d7633f8f5e92c34927647dbe69 SHA256:b313c0e96ed8f9c2516dd814ffbd899387243e0eb642cf000fd0da31731bef0d Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
validation-api-1.0.0.GA-sources.jar
File Path: /home/vaclav/.m2/repository/javax/validation/validation-api/1.0.0.GA/validation-api-1.0.0.GA-sources.jar MD5: f816682933b59c5ffe32bdb4ab4bf628 SHA1: 7a561191db2203550fbfa40d534d4997624cd369 SHA256:a394d52a9b7fe2bb14f0718d2b3c8308ffe8f37e911956012398d55c9f9f9b54 Referenced In Project/Scope: OpenKM Web Application:provided validation-api-1.0.0.GA-sources.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2
File Path: /home/vaclav/.m2/repository/javax/validation/validation-api/1.0.0.GA/validation-api-1.0.0.GA.jar MD5: 40c1ee909493066397a6d4d9f8d375d8 SHA1: b6bd7f9d78f6fdaa3c37dae18a4bd298915f328e SHA256:e459f313ebc6db2483f8ceaad39af07086361b474fa92e40f442e8de5d9895dc Referenced In Project/Scope: OpenKM Web Application:compile validation-api-1.0.0.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-validator@4.2.0.Final
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/vanadium-min.js MD5: 71727055a43b609fc865e68538535ab4 SHA1: f2f30b9f9de9ba11c7e83412a540c32aa317b1c4 SHA256:aab828d86f70f6b82f5bb71f399e78c92ee1a45e7c98a5849c8ca17fc8edf4d6 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
vb.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/vb/vb.js MD5: 22de2d3acbccc5e74eaff8ace980a381 SHA1: 772049b15341b5fc741f8c89c6fa1ce13d83f688 SHA256:1dbda57d7bcec3716d0f21ade5746ae87ad4082814a5eb869e3c361f8ba1eaf0 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
vbscript.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/vbscript/vbscript.js MD5: d0c1b16ab2ff656d259991d6ef3abeda SHA1: 603caf8cd44c2c466e614ce332bf579cfb669a1a SHA256:1421c592dbfeafb44b1dc86492aa05ecfa1b96ed1a20650211d29f4a8406f252 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
velocity.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/velocity/velocity.js MD5: a4d7f47577676d599ba2bfc4bb7954ea SHA1: de7a01d923027d0512bb63f9e963fccd5a6b7bed SHA256:ec14554824a832edc766fe2ef0733df9fb6b78de5433a5804c18941582f78e0c Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
verilog.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/verilog/verilog.js MD5: ef520e90acdee48641791177475e3269 SHA1: e6b3c5b64d63a63d69edadfd584d40e782641013 SHA256:8ce2cf1329868c8a2da603bceaae118240b0fa2abecdc6e5b9683a16200f7e18 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
vi.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/vi.js MD5: e11661e0ceba12c19c54da4a4e7e1554 SHA1: bdb97555bff4c1d6cbcaa1efc5aab60f681b0636 SHA256:02d5a3b36b9cbb52f3aacb3f01dc50998c142d2c4f053b46aecf88c16c5dbdbd Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
vi_VN.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/vi_VN.js MD5: 36aec319a7d14e5f3a99162985d590b2 SHA1: 6aa97494e602f9b43f06a39e24ee3e83a8d0624a SHA256:db7b9c1db0dae08ebc3b0dcab29d9f470799d47bf9511218d99729240fbeb6f5 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
viewer.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/web/viewer.js MD5: 18872607f660948440a6e15b0010d1a4 SHA1: a0e9caf5b2f0a79c2a08b0396b2c8d781e1b5f85 SHA256:71c160c6bb3ca933b6b083ed1ce812a39430f3281e368d938d175d5152e94d52 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
wmf2svg-0.9.0.jar
Description:
WMF to SVG Converting Tool & Library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/net/arnx/wmf2svg/0.9.0/wmf2svg-0.9.0.jar MD5: 0c8a52661f38bc4afabb0f9de8e6a86a SHA1: 7b27809b43acb48c1ca65d68219256192a5a887b SHA256:7250466116c453ab11279f5ddada6f0df06df6696a1aeda12b3625255acbe712 Referenced In Project/Scope: OpenKM Web Application:compile wmf2svg-0.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
Woodstox is a high-performance XML processor that implements Stax (JSR-173),
SAX2 and Stax2 APIs
License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.6.0/woodstox-core-6.6.0.jar MD5: 5481ba9ea67d034d92fd67132c83ccfc SHA1: 17cd66a8a9104b13a9639f017a39e2db38d0957b SHA256:43d8d5c8a1c6906099e843a4b41d0dc5c4bfdf2e55a3a256f609662cf23a97a5 Referenced In Project/Scope: OpenKM Web Application:compile woodstox-core-6.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.2.0/woodstox-core-asl-4.2.0.jar MD5: ac7e73fcf52654c0642afdfccc7d9f57 SHA1: 7a3784c65cfa5c0553f31d000b43346feb1f4ee3 SHA256:5ccb662b21ed218aaf06fc0a46f8b78338bc4992a236b62b471fa3f2671ed0ae Referenced In Project/Scope: OpenKM Web Application:compile woodstox-core-asl-4.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
File Path: /home/vaclav/.m2/repository/wsdl4j/wsdl4j/1.6.1/wsdl4j-1.6.1.jar MD5: 333331aee2e0f65e846b9ef0e20432e5 SHA1: 9e9cee064ec2c9c01e0cd6b8bffd1a7013d81f65 SHA256:0d712ccfd0f0edbf9b0e6793c9562d8c2037bfd8878e9d46f476a68d6f83c11e Referenced In Project/Scope: OpenKM Web Application:compile wsdl4j-1.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASE
The Apache WSS4J project provides a Java implementation of the primary security standards
for Web Services, namely the OASIS Web Services Security (WS-Security) specifications
from the OASIS Web Services Security TC.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/ws/security/wss4j/1.6.4/wss4j-1.6.4.jar MD5: 02a33e0616383e8449f740d7062f78f7 SHA1: 16b921983c7b6077a39da75f5edf24f3402adbbb SHA256:8776d6166c461ba49a244c84be839303734257c8b4eb7abf62adf344c846902b Referenced In Project/Scope: OpenKM Web Application:compile wss4j-1.6.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
CWE-264 Permissions, Privileges, and Access Controls
File Path: /home/vaclav/.m2/repository/org/apache/wss4j/wss4j-policy/2.4.3/wss4j-policy-2.4.3.jar MD5: 267dc758c1af2ed453b64b3739120f53 SHA1: da9d12731b1a92f82ee4557c4b7f1e27b2acdf5d SHA256:881e08717fc3126c218071e43c6ba73f97c1f0a6594ec4a7994ceea57b20e9a0 Referenced In Project/Scope: OpenKM Web Application:compile wss4j-policy-2.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.6.3
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
File Path: /home/vaclav/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar MD5: d43aad24f2c143b675292ccfef487f9c SHA1: 75f1d83ce27bab5f29fff034fc74aa9f7266f22a SHA256:55a2e95144acf1abe44fea91c2948525c9b1f00fcaa1d10e753e92872ffbdd1e Referenced In Project/Scope: OpenKM Web Application:compile xalan-2.7.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
CWE-264 Permissions, Privileges, and Access Controls
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
File Path: /home/vaclav/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar MD5: f807f86d7d9db25edbfc782aca7ca2a9 SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6 SHA256:6ae540a7c85c814ac64bea48016b3a6f45c95d4765f547fcc0053dc36c94ed5c Referenced In Project/Scope: OpenKM Web Application:compile xercesImpl-2.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.14
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
File Path: /home/vaclav/.m2/repository/xml-apis/xml-apis/1.3.04/xml-apis-1.3.04.jar MD5: 9ae9c29e4497fc35a3eade1e6dd0bbeb SHA1: 90b215f48fe42776c8c7f6e3509ec54e84fd65ef SHA256:d404aa881eb9c5f7a4fb546e84ea11506cd417a72b5972e88eff17f43f9f8a64 Referenced In Project/Scope: OpenKM Web Application:compile xml-apis-1.3.04.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.14
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/xml-fold.js MD5: e064e5342614b3f859d9250635a6cdc7 SHA1: 7b4a49564b646d1c15775bb87ed125d45ab15bf8 SHA256:e51866c5053ff0e007c0169fbd237f2741b1bb4b30ae204f998fab13eaa58b42 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
xml-hint.js
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/xml-hint.js MD5: 2518cfc347e5a11de902c509267378b5 SHA1: 4955f990758d1a7a052d639a06189ae19392d1d4 SHA256:4849491ef18b7bfb422b1360fcd3fe31b85d68ca1f46e979eb09e202ac5d1049 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
xml-resolver-1.2.jar
Description:
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier.
File Path: /home/vaclav/.m2/repository/xml-resolver/xml-resolver/1.2/xml-resolver-1.2.jar MD5: 706c533146c1f4ee46b66659ea14583a SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c SHA256:47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1 Referenced In Project/Scope: OpenKM Web Application:compile xml-resolver-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/xml/xml.js MD5: 5234b745fcb9e1538edb18f357c87b45 SHA1: 617a14d7c0946b23d40efaf9c509d661ecaeb729 SHA256:52627d94134b036958d52e579ef04b2b4c5932fb0ded31a016c4f5f53b42bd62 Referenced In Project/Scope: OpenKM Web Application
Evidence
Type
Source
Name
Value
Confidence
Identifiers
None
xmlbeans-2.6.0.jar
Description:
XmlBeans main jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar MD5: 6591c08682d613194dacb01e95c78c2c SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87 SHA256:c77974359688b2823b48fa9a33da68559d64f8474441480d9df4f9e254332a96 Referenced In Project/Scope: OpenKM Web Application:compile xmlbeans-2.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.poi/poi-ooxml-schemas@3.12
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Apache XML Graphics Commons is a library that consists of several reusable
components used by Apache Batik and Apache FOP. Many of these components
can easily be used separately outside the domains of SVG and XSL-FO.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/1.5/xmlgraphics-commons-1.5.jar MD5: 86090bc1cfbb6c7bb0efee2d6c6fd7b6 SHA1: 7fb5c2b2c18f0e87fbe9bded16429a5d7cc2dc2b SHA256:43ef52b2596b14deb291edea2b260aa6983389a87b15e31d6a5a2c54cc17ce7a Referenced In Project/Scope: OpenKM Web Application:compile xmlgraphics-commons-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
xmlgraphics-commons
High
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
xmlgraphics
Highest
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation (http://xmlgraphics.apache.org/)
Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.
File Path: /home/vaclav/.m2/repository/org/apache/ws/xmlschema/xmlschema-core/2.3.1/xmlschema-core-2.3.1.jar MD5: 76e1deab5e6e1caa5fed31b3482cd266 SHA1: 5a83fc4e79d128f38c9e32138537060678151759 SHA256:648f7f7e5228d89069cbc54c32404209f242581bc1c1e2e74229114f081071aa Referenced In Project/Scope: OpenKM Web Application:compile xmlschema-core-2.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.6.3
Apache Santuario supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. As of version 1.4,
the Java library supports the standard Java API JSR-105: XML Digital
Signature APIs.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/santuario/xmlsec/1.4.6/xmlsec-1.4.6.jar MD5: d2008d3b8d655b5fe0caac768af07c01 SHA1: b56eff7e86e9efa2c32a1ab08693e2d6eb4b88de SHA256:ab68a81077c1a9d30bc9384e5340787041767c76a5fa704a96e4d30e29d41976 Referenced In Project/Scope: OpenKM Web Application:compile xmlsec-1.4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-44483 for details
CWE-532 Insertion of Sensitive Information into Log File
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security.
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
File Path: /home/vaclav/.m2/repository/org/opensaml/xmltooling/1.3.2-1/xmltooling-1.3.2-1.jar MD5: 06de9a0632f8dc1064106e9bbaee66d5 SHA1: 6446e9ac7e90667d6883ac583c402601dec75e34 SHA256:f1527964c28ae3352681dafbdd0235f1d37b8c0b1c439280cf9e9b5a3cd4ca77 Referenced In Project/Scope: OpenKM Web Application:compile xmltooling-1.3.2-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
The XOM Dual Streaming/Tree API for Processing XML
License:
The GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/vaclav/.m2/repository/xom/xom/1.2.5/xom-1.2.5.jar MD5: 91b16b5b53ae0804671a57dbf7623fad SHA1: 4166493b9f04e91b858ba4150b28b4d197f8f8ea SHA256:0e22c49ab86a6533299160b95db9201fd7040f4f082e90d563ca7e8d972bbe3a Referenced In Project/Scope: OpenKM Web Application:compile xom-1.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jodreports/jodreports@2.4.0
File Path: /home/vaclav/.m2/repository/net/lingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar MD5: 67577b0541256ea89d15e0edb6d2a7b8 SHA1: 4ba84e98ee017b74cb52f45962f929a221f3074c SHA256:c67098d430c574311432728ebd4c7c45672f9ccf5c64702eb6afb8816c22ad08 Referenced In Project/Scope: OpenKM Web Application:compile zip4j-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12
zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library.
CWE-755 Improper Handling of Exceptional Conditions